xenorat | 1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38

Resubmissions

11-05-2024 19:51

240511-ykvkzahc78 10

11-05-2024 19:45

240511-ygfmmsec3y 10

11-05-2024 18:50

240511-xhabksfa93 10

Analysis

max time kernel
298s
max time network
279s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AudinoBuilder.exe
Size

5.6MB
MD5

c4cb065184458a9e05b7c893642f9b3c
SHA1

36327e2e82c26c3d39dcc51569c08c624c90ae20
SHA256

1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38
SHA512

2e9809bce89db2566c7aa9143afc5c818cc2765ea6c0ab2e8d583aac7a7b1cca5d601b5ecb8cc676221118ab2b8b333eea7fad614f5150ae95c76b979388faa4
SSDEEP

98304:lKAVWycWWgSj67/ngnLqAABRvCrnVAo3tH/Gfz7H7YzA4AzRP2HjdgW0NaBFV:8TylWgSj6DnDvRKrnVAoBQHHkERPPW0K

Score

10^/10

xenorat zgrat evasion execution persistence rat trojan

Malware Config

Extracted

Family

xenorat

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
45010
startup_name
ErrorManager

Signatures

Detect ZGRat V1 29 IoCs

resource	yara_rule
behavioral1/memory/4480-50-0x0000000004D80000-0x0000000004DEC000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-120-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-104-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-91-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-84-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-79-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-73-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-69-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-124-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-122-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-118-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-116-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-114-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-112-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-110-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-108-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-106-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-99-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-97-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-93-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-89-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-88-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-85-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-81-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-77-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-75-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-71-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-67-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4480-66-0x0000000004D80000-0x0000000004DE5000-memory.dmp	family_zgrat_v1

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6520	powershell.exe
5208	powershell.exe
3500	powershell.exe
5952	powershell.exe
5468	powershell.exe
3092	powershell.exe
7116	powershell.exe
5524	powershell.exe
7036	powershell.exe
764	powershell.exe
7148	powershell.exe
7008	powershell.exe
4848	powershell.exe
1648	powershell.exe
2756	powershell.exe
5708	powershell.exe
2472	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 11 IoCs

pid	Process
4480	Ilkdt.exe
3324	WinHostMgr.exe
3864	WindowsSubsystem.exe
4864	WindowsSubsystem.exe
6972	bauwrdgwodhv.exe
3916	bauwrdgwodhv.exe
5096	bauwrdgwodhv.exe
5224	bauwrdgwodhv.exe
5220	bauwrdgwodhv.exe
6140	bauwrdgwodhv.exe
5060	bauwrdgwodhv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
18	pastebin.com

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\System32\services.msc	mmc.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 6972 set thread context of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 set thread context of 5192	6972	bauwrdgwodhv.exe	150

Launches sc.exe 44 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5776	sc.exe
6108	sc.exe
6064	sc.exe
2912	sc.exe
764	sc.exe
5840	sc.exe
7012	sc.exe
860	sc.exe
5184	sc.exe
5200	sc.exe
6436	sc.exe
5828	sc.exe
3340	sc.exe
800	sc.exe
5188	sc.exe
5628	sc.exe
7164	sc.exe
2112	sc.exe
644	sc.exe
3312	sc.exe
4988	sc.exe
3756	sc.exe
7088	sc.exe
5208	sc.exe
1312	sc.exe
5528	sc.exe
4324	sc.exe
4688	sc.exe
764	sc.exe
6960	sc.exe
3388	sc.exe
6796	sc.exe
3456	sc.exe
6168	sc.exe
6356	sc.exe
5624	sc.exe
6692	sc.exe
6052	sc.exe
3344	sc.exe
6976	sc.exe
5540	sc.exe
5656	sc.exe
1840	sc.exe
6216	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6280	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
2472	powershell.exe
3464	taskmgr.exe
3464	taskmgr.exe
2472	powershell.exe
2472	powershell.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3324	WinHostMgr.exe
6520	powershell.exe
6520	powershell.exe
3464	taskmgr.exe
3324	WinHostMgr.exe
3324	WinHostMgr.exe
3324	WinHostMgr.exe
3324	WinHostMgr.exe
3324	WinHostMgr.exe
3324	WinHostMgr.exe
3324	WinHostMgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3464	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	taskmgr.exe
Token: SeSystemProfilePrivilege	3464	taskmgr.exe
Token: SeCreateGlobalPrivilege	3464	taskmgr.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	4480	Ilkdt.exe
Token: SeDebugPrivilege	6520	powershell.exe
Token: SeShutdownPrivilege	5480	powercfg.exe
Token: SeCreatePagefilePrivilege	5480	powercfg.exe
Token: SeShutdownPrivilege	5508	powercfg.exe
Token: SeCreatePagefilePrivilege	5508	powercfg.exe
Token: SeShutdownPrivilege	5464	powercfg.exe
Token: SeCreatePagefilePrivilege	5464	powercfg.exe
Token: SeShutdownPrivilege	5460	powercfg.exe
Token: SeCreatePagefilePrivilege	5460	powercfg.exe
Token: SeDebugPrivilege	7116	powershell.exe
Token: SeShutdownPrivilege	3668	powercfg.exe
Token: SeCreatePagefilePrivilege	3668	powercfg.exe
Token: SeShutdownPrivilege	1448	powercfg.exe
Token: SeCreatePagefilePrivilege	1448	powercfg.exe
Token: SeShutdownPrivilege	4472	powercfg.exe
Token: SeCreatePagefilePrivilege	4472	powercfg.exe
Token: SeShutdownPrivilege	2052	powercfg.exe
Token: SeCreatePagefilePrivilege	2052	powercfg.exe
Token: SeLockMemoryPrivilege	5192	explorer.exe
Token: SeDebugPrivilege	5524	powershell.exe
Token: SeDebugPrivilege	7008	powershell.exe
Token: SeShutdownPrivilege	5888	powercfg.exe
Token: SeCreatePagefilePrivilege	5888	powercfg.exe
Token: SeShutdownPrivilege	5916	powercfg.exe
Token: SeCreatePagefilePrivilege	5916	powercfg.exe
Token: SeShutdownPrivilege	5864	powercfg.exe
Token: SeCreatePagefilePrivilege	5864	powercfg.exe
Token: SeShutdownPrivilege	5908	powercfg.exe
Token: SeCreatePagefilePrivilege	5908	powercfg.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeShutdownPrivilege	6636	powercfg.exe
Token: SeCreatePagefilePrivilege	6636	powercfg.exe
Token: SeShutdownPrivilege	6620	powercfg.exe
Token: SeCreatePagefilePrivilege	6620	powercfg.exe
Token: SeShutdownPrivilege	6640	powercfg.exe
Token: SeCreatePagefilePrivilege	6640	powercfg.exe
Token: SeShutdownPrivilege	6608	powercfg.exe
Token: SeCreatePagefilePrivilege	6608	powercfg.exe
Token: SeDebugPrivilege	7036	powershell.exe
Token: SeDebugPrivilege	5708	powershell.exe
Token: SeShutdownPrivilege	1500	powercfg.exe
Token: SeCreatePagefilePrivilege	1500	powercfg.exe
Token: SeShutdownPrivilege	1496	powercfg.exe
Token: SeCreatePagefilePrivilege	1496	powercfg.exe
Token: SeShutdownPrivilege	1176	powercfg.exe
Token: SeCreatePagefilePrivilege	1176	powercfg.exe
Token: SeShutdownPrivilege	1064	powercfg.exe
Token: SeCreatePagefilePrivilege	1064	powercfg.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	5544	powercfg.exe
Token: SeCreatePagefilePrivilege	5544	powercfg.exe
Token: SeShutdownPrivilege	5636	powercfg.exe
Token: SeCreatePagefilePrivilege	5636	powercfg.exe
Token: SeShutdownPrivilege	5588	powercfg.exe
Token: SeCreatePagefilePrivilege	5588	powercfg.exe
Token: SeShutdownPrivilege	6036	powercfg.exe
Token: SeCreatePagefilePrivilege	6036	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
892	mmc.exe
892	mmc.exe
892	mmc.exe
892	mmc.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2472	2248	AudinoBuilder.exe	84
PID 2248 wrote to memory of 2472	2248	AudinoBuilder.exe	84
PID 2248 wrote to memory of 2472	2248	AudinoBuilder.exe	84
PID 2248 wrote to memory of 4480	2248	AudinoBuilder.exe	86
PID 2248 wrote to memory of 4480	2248	AudinoBuilder.exe	86
PID 2248 wrote to memory of 4480	2248	AudinoBuilder.exe	86
PID 2248 wrote to memory of 3324	2248	AudinoBuilder.exe	87
PID 2248 wrote to memory of 3324	2248	AudinoBuilder.exe	87
PID 2248 wrote to memory of 3864	2248	AudinoBuilder.exe	88
PID 2248 wrote to memory of 3864	2248	AudinoBuilder.exe	88
PID 2248 wrote to memory of 3864	2248	AudinoBuilder.exe	88
PID 3864 wrote to memory of 4864	3864	WindowsSubsystem.exe	89
PID 3864 wrote to memory of 4864	3864	WindowsSubsystem.exe	89
PID 3864 wrote to memory of 4864	3864	WindowsSubsystem.exe	89
PID 4864 wrote to memory of 6280	4864	WindowsSubsystem.exe	91
PID 4864 wrote to memory of 6280	4864	WindowsSubsystem.exe	91
PID 4864 wrote to memory of 6280	4864	WindowsSubsystem.exe	91
PID 6688 wrote to memory of 6816	6688	cmd.exe	102
PID 6688 wrote to memory of 6816	6688	cmd.exe	102
PID 6996 wrote to memory of 7152	6996	cmd.exe	132
PID 6996 wrote to memory of 7152	6996	cmd.exe	132
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 3680	6972	bauwrdgwodhv.exe	146
PID 6972 wrote to memory of 5192	6972	bauwrdgwodhv.exe	150
PID 6972 wrote to memory of 5192	6972	bauwrdgwodhv.exe	150
PID 6972 wrote to memory of 5192	6972	bauwrdgwodhv.exe	150
PID 6972 wrote to memory of 5192	6972	bauwrdgwodhv.exe	150
PID 6972 wrote to memory of 5192	6972	bauwrdgwodhv.exe	150
PID 6420 wrote to memory of 5816	6420	cmd.exe	161
PID 6420 wrote to memory of 5816	6420	cmd.exe	161
PID 232 wrote to memory of 6308	232	cmd.exe	187
PID 232 wrote to memory of 6308	232	cmd.exe	187
PID 5580 wrote to memory of 1580	5580	cmd.exe	215
PID 5580 wrote to memory of 1580	5580	cmd.exe	215
PID 3288 wrote to memory of 1904	3288	cmd.exe	239
PID 3288 wrote to memory of 1904	3288	cmd.exe	239
PID 2620 wrote to memory of 5312	2620	cmd.exe	265
PID 2620 wrote to memory of 5312	2620	cmd.exe	265
PID 3464 wrote to memory of 892	3464	taskmgr.exe	283
PID 3464 wrote to memory of 892	3464	taskmgr.exe	283
PID 420 wrote to memory of 2416	420	cmd.exe	297
PID 420 wrote to memory of 2416	420	cmd.exe	297

C:\Users\Admin\AppData\Local\Temp\AudinoBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\AudinoBuilder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAaAB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAbgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAeQB0ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6688
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6816
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6796
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6976
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:800
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5188
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5460
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5480
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5464
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:5528
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5628
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4324
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:5840
- C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "ErrorManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9B.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:6280

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3148

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6972
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:7116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6996
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:7152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4688
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:764
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3312
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:5524
- - C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3916
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:7008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6420
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:7164
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5776
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4988
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3456
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6052
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5864
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5888
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5908
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:5208
- - C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5096
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:3500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6308
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5540
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2112
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:6168
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6356
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6436
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6608
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6636
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6640
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:7036
- - C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5224
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:5708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5580
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1580
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:6108
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5656
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5828
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3340
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6960
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1500
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5220
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3288
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1904
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1840
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:644
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5624
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6064
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6216
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5544
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5636
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6036
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:7148
- - C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:6140
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5312
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3756
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5184
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5208
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2912
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3344
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:2704
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:2456
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4028
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:6260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:1648
- - C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5060
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:420
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2416
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1312
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:7088
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3388
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5200
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:764
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:6280
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:5372
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:3140
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:1008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5468
- - C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
    3⤵
    PID:6188
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3092
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5192

C:\Windows\System32\Fondue.exe
"C:\Windows\System32\Fondue.exe"
1⤵
PID:4980

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7f5d144f73b044859694be091402ef21 /t 6020 /p 892
1⤵
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:6856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsSubsystem.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0217aeeba8ff841eb66f91ea33b46c6d

SHA1
47166ad090ddc8bb8c05ba650526b4b0625e4d21

SHA256
65f0fab2b086611cdfef3382c89d3bfb307f909448ef968bbb6379104b0985f1

SHA512
1d7141b27132b511e3c33e57fb0f62c9b9e9fbb151dc33fff258dd7ac4ad98d2d805d5011fc4b4baa27431a544a637d23a2054140b65509c1b765598e361ce5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
5.0MB

MD5
e222309197c5e633aa8e294ba4bdcd29

SHA1
52b3f89a3d2262bf603628093f6d1e71d9cc3820

SHA256
047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

SHA512
9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe

Filesize
43KB

MD5
6b44f7785d4ce45ede1b02681227d987

SHA1
444d76fb81d4fbeb9c1a2011d2de8f2b8ff0084a

SHA256
2c85b511ff201346d1e6c2ab300445ad263ed40192c1748ec10fa02f6aa05186

SHA512
83f96b49bf619aa8fd89a7fb7be282d7a06e6ae0dd8f42ef8ad9e1832a889d9dc3b8920989cea5fbecfec63dd894f49d5ad1d2d25894de7b523add0539d1de55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agsgfxto.cge.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9B.tmp

Filesize
1KB

MD5
0cd3da1799bc79141a8e8b219f395b48

SHA1
53d117d84f3ba1066b59720965e25a84792439a5

SHA256
8bb355c414170a13cc47f16128844bac5089e9c845f7d07d4d098579b7c152d6

SHA512
686ef43213a06ba50e3b78c1f84782cbc2e8a87f97c297addf8bea5d78346420fd143dd7d4aa7f95a7827c2db4fd27c15cfec44fef6e700351cff887afc8e536

Download Submit
C:\Windows\TEMP\qdvyclnkfmuh.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bc8a038897d8eb2ae75075b694f3ae93

SHA1
e6cd526c1178970c7df529452349cfe03d595d6f

SHA256
33ae78ff9335100e8055985b491a7cc97b844f9f9485f575b3eddbf8a22c5a65

SHA512
a9235dd2b47aa125ac9f57b139412a4be42cd7763869c3b9010f579d57e81308d3c9a994fe18f51b5beb96fd402dbfcc45497d8ffcc28822c2bbbcf46bfb13ce

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d877bed603875c09dc9b0a70ab11cb4

SHA1
149438a26a43f94bdef184111022327c539294c1

SHA256
2d320a76e4755daecbc09763a4a7dbe40f286adc71cb27a168552565688895f6

SHA512
8e8b968f4dfad44d6bb6be482dc184d7cf2546dcd863ad4079527aac0c6a9623716060b60f14a8e52d6da457451d57e3c592456293d5aa7ae6031f3e46543b6b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9e1a46a334bbf867474606ab7890f8f

SHA1
f975f36b18fb73608b752c5fd3e5af5be780ee53

SHA256
476da7b2266f9176d80a9228b6b5bbbd1b4a505428dbbcddf575fb4b43acce64

SHA512
8948dde2697e53780d1547b6e48713739fad6a6fc2e8bd7b2be6b104524017c38b57f5c35721c5e96b742e562a7638584faec0d067324ef3035e2a2122a7e90f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b23098f177267be4246d62d65e6fe2a

SHA1
654d8a965052aa79841297429b82576491294c31

SHA256
48fab079f87743db47f4a77913ded28a29f890e2c54d6155bab59e7d6e3077b7

SHA512
1b9026fd1bed96b065f2c55246ef15bc4dc3f14f2b33ceaf20dca758cbddb8d036705814a803dfffac82769c8399a3c2af9982b81030360d2a2a81eeb6979299

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cad817712c369e3467ad284c816e72ad

SHA1
948405b22d465521a9c51fabe69621229b8cbc5a

SHA256
773770780aa72ab09f5978b4344955ec22ba01961f8d58bdb6b8c0ab6540b2c1

SHA512
b4c7528ba68d4f8829a235aba0d3ad7690ce657ec6d85a98faf58d5591fbd828de6c4d298782d5d04f9ab32cfee402f87050fef97678173b587004a6f8a40893

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2132286a00abf860d6b84f290a7e958

SHA1
d0f0aba0f26910bada5d3cce04f0501b4f59c0e9

SHA256
21e740e91794011c9f6e07dcaa0e59df7573c84d5ed52bfe87dc8e5f55e36748

SHA512
a7de4bfdaa6aea938a5a60e2e7afadfca71fe7d2c3b6f6af73f7bded9d520da862f9726959af543ed333337710ed1df6d430e7df3b906748f037e2ad68a06b87

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67ed34a5149b6cac0361cbe63c16e2be

SHA1
f44aeb64f849d6861fb0c3e5e576aba9d5425545

SHA256
c6e7b987f28d221e4ad06b28f2340a058a42b16a97aae45d6858d28948ed8e76

SHA512
36dc31f590415bf257e2189edf07026b654baac7d4473b9cd32a95d8dcf77e9c8cfc16c5280be6c91ee6fd647e7a4382c81cd28f5adc79a1f3367ce3480ff1e4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b17a74fb4e1a75a6dbd83be222935619

SHA1
347ac4fb349abde16aea642ad102cd9a4f8caef1

SHA256
1955165328ff735e6814133ecf8cef35b6b3d044d256cb5ef22d2e89092bbb9d

SHA512
78da6706df7ade181b31bd51af8338314b2cd57a7b68345202f4901cb80e315d0c1b00c6b13a963e530e1d03bdc3beee4a92d7b11c5ae8701802508c4427557a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e88c4353f0f44872d931576e1d141dfa

SHA1
574def77c77e50f59c2f3cce3e1f5078eac9e892

SHA256
544e42c20374677fbdb94f2fa6a6df3a0a2e6e0e17de9df41c389ac409f7a540

SHA512
6fa95ed56db53a9c736c3e599356c25461603435593680351ab916724ea74583b93808da98d293eceb8f402b866fe7a55b964992a623d228395d9776ce81247d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0de96b53acbd8206faa19ebef4a527ed

SHA1
759180062f2b8ece79317561b3555ecc7e01723b

SHA256
00341471b60c36cbe9eb6d9b04adb9cd9763ecf4bfa3607309c5d9e26cc82f80

SHA512
2bf3c10a30eae755ba925050603e74521c5ea845f8a93779927652bed5c2d44b8b1026e1747ce6a8b3263e5c465adc95792c8035cb89ecab98dd892d4516f686

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0e04f17e0586d37630e4c2c43932952d

SHA1
d3cc9ba1aef4ba45a83bdc765b83d9709b3bf7ac

SHA256
001c5c5c738349bee99e2c22ecf5175a82681bb6eac13505fc23e916efc852b8

SHA512
c403d96cc6e549285a2f33bb335eb986a8c4568416eced0b3991a8df8aa2a21befb1af2e69bbdcb367855ce7bec319e7ecb2bf487639d092d2b99add222e7590

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1b14d9ab8ed28a1418da03ae88b9c0e

SHA1
5f34f7b26262da26f265ff2037baab0d054ebfc4

SHA256
5414026707880ec68a3cf76855d4c820a1d5f5397cfc312e67fe7ac0042e94e7

SHA512
ffa00cd8482e4e712067e756b20b9484319f007267f3cbf23889013e9a7a287711b5f260ac50511c8c69d1346d3e912554504088d53655e18b229cb0ec8da4fd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2384bf28242abe471d2fb3345035970b

SHA1
8ad3eee72499414e5a251735b354837efacb010d

SHA256
93a72182da27c47c047ba5ccc77666a3059faf3f43c7a4b23db1c1f65c381cae

SHA512
127f3c9fe179ab3877b6dab5bbf3e780b59bf077f21b6ad0f150a64df2a730a7d1e1b010dae7da2e6586b2ab9357c9512e6ee8123b771debbdc979e21e304738

Download Submit
memory/1648-1990-0x000001E374930000-0x000001E3749E3000-memory.dmp

Filesize
716KB

Download
memory/2472-47-0x0000000002360000-0x0000000002396000-memory.dmp

Filesize
216KB

Download
memory/2472-1683-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

Filesize
104KB

Download
memory/2472-65-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/2472-64-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/2472-49-0x0000000004DF0000-0x000000000541A000-memory.dmp

Filesize
6.2MB

Download
memory/2472-1680-0x0000000006B50000-0x0000000006B6E000-memory.dmp

Filesize
120KB

Download
memory/2472-1681-0x0000000006B70000-0x0000000006C14000-memory.dmp

Filesize
656KB

Download
memory/2472-1671-0x0000000075320000-0x000000007536C000-memory.dmp

Filesize
304KB

Download
memory/2472-63-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

Filesize
136KB

Download
memory/2472-313-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/2472-1670-0x0000000006B10000-0x0000000006B44000-memory.dmp

Filesize
208KB

Download
memory/2472-1687-0x0000000007100000-0x000000000710E000-memory.dmp

Filesize
56KB

Download
memory/2472-131-0x0000000005670000-0x00000000059C7000-memory.dmp

Filesize
3.3MB

Download
memory/2472-1682-0x00000000074F0000-0x0000000007B6A000-memory.dmp

Filesize
6.5MB

Download
memory/2472-1684-0x0000000006F40000-0x0000000006F4A000-memory.dmp

Filesize
40KB

Download
memory/2472-1685-0x0000000007140000-0x00000000071D6000-memory.dmp

Filesize
600KB

Download
memory/2472-312-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/2472-1686-0x00000000070D0000-0x00000000070E1000-memory.dmp

Filesize
68KB

Download
memory/2472-1690-0x00000000071F0000-0x00000000071F8000-memory.dmp

Filesize
32KB

Download
memory/2472-1689-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/2472-1688-0x0000000007110000-0x0000000007125000-memory.dmp

Filesize
84KB

Download
memory/3464-7-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-1-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-0-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-2-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-12-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-11-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-10-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-9-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-8-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3464-6-0x000001F1A12E0000-0x000001F1A12E1000-memory.dmp

Filesize
4KB

Download
memory/3864-45-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/4480-77-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-120-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-67-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-71-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-75-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-81-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-85-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-88-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-89-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-93-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-97-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-99-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-46-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/4480-106-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-50-0x0000000004D80000-0x0000000004DEC000-memory.dmp

Filesize
432KB

Download
memory/4480-124-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-104-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-91-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-84-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-79-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-73-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-69-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-66-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-108-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-110-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-112-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-114-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-116-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-118-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/4480-122-0x0000000004D80000-0x0000000004DE5000-memory.dmp

Filesize
404KB

Download
memory/5708-1880-0x000002412EFE0000-0x000002412F093000-memory.dmp

Filesize
716KB

Download
memory/6520-1700-0x000002B1FF1D0000-0x000002B1FF1F2000-memory.dmp

Filesize
136KB

Download
memory/7116-1732-0x0000026DB6C00000-0x0000026DB6C08000-memory.dmp

Filesize
32KB

Download
memory/7116-1733-0x0000026DB7150000-0x0000026DB7156000-memory.dmp

Filesize
24KB

Download
memory/7116-1734-0x0000026DB7160000-0x0000026DB716A000-memory.dmp

Filesize
40KB

Download
memory/7116-1731-0x0000026DB7170000-0x0000026DB718A000-memory.dmp

Filesize
104KB

Download
memory/7116-1730-0x0000026DB6BF0000-0x0000026DB6BFA000-memory.dmp

Filesize
40KB

Download
memory/7116-1729-0x0000026DB7130000-0x0000026DB714C000-memory.dmp

Filesize
112KB

Download
memory/7116-1728-0x0000026DB6BE0000-0x0000026DB6BEA000-memory.dmp

Filesize
40KB

Download
memory/7116-1726-0x0000026DB6B90000-0x0000026DB6BAC000-memory.dmp

Filesize
112KB

Download
memory/7116-1727-0x0000026DB6F70000-0x0000026DB7023000-memory.dmp

Filesize
716KB

Download