darkcomet | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus[.]exe

Analysis

max time kernel
230s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe

Score

10^/10

darkcomet dharma aspackv2 defense_evasion evasion execution impact persistence ransomware rat spyware stealer trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (521) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5628	attrib.exe
29116	attrib.exe
24964	attrib.exe
21340	attrib.exe
11932	attrib.exe
13892	attrib.exe
33032	attrib.exe
12192	attrib.exe
19564	attrib.exe
26396	attrib.exe
232	attrib.exe
3512	attrib.exe
27632	attrib.exe
22208	attrib.exe
23080	attrib.exe
6224	attrib.exe
13736	attrib.exe
30704	attrib.exe
8348	attrib.exe
12100	attrib.exe
9036	attrib.exe
27820	attrib.exe
13708	attrib.exe
23136	attrib.exe
18956	attrib.exe
30464	attrib.exe
22148	attrib.exe
19388	attrib.exe
21476	attrib.exe
23404	attrib.exe
32620	attrib.exe
20608	attrib.exe
18844	attrib.exe
22768	attrib.exe
24292	attrib.exe
12096	attrib.exe
9084	attrib.exe
13284	attrib.exe
27876	attrib.exe
23072	attrib.exe
6028	attrib.exe
23588	attrib.exe
19532	attrib.exe
26260	attrib.exe
31736	attrib.exe
24448	attrib.exe
19932	attrib.exe
5672	attrib.exe
24708	attrib.exe
30192	attrib.exe
11888	attrib.exe
20928	attrib.exe
8848	attrib.exe
23612	attrib.exe
24236	attrib.exe
22160	attrib.exe
15784	attrib.exe
15016	attrib.exe
15044	attrib.exe
13988	attrib.exe
17132	attrib.exe
27752	attrib.exe
24936	attrib.exe
25616	attrib.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000021b17-25129.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Blackkomet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	winupdate.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 22 IoCs

pid	Process
5492	CoronaVirus.exe
5704	CoronaVirus.exe
5736	CoronaVirus.exe
5740	msedge.exe
29240	msedge.exe
11084	msedge.exe
4168	msedge.exe
6540	Popup.exe
17724	msedge.exe
17332	msedge.exe
9984	msedge.exe
9288	Trololo.exe
16068	msedge.exe
15524	msedge.exe
15328	msedge.exe
14180	Blackkomet.exe
8904	winupdate.exe
3884	winupdate.exe
26980	winupdate.exe
26528	winupdate.exe
23276	winupdate.exe
22720	winupdate.exe

Loads dropped DLL 10 IoCs

pid	Process
5740	msedge.exe
29240	msedge.exe
11084	msedge.exe
4168	msedge.exe
17724	msedge.exe
17332	msedge.exe
9984	msedge.exe
16068	msedge.exe
15524	msedge.exe
15328	msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
58	raw.githubusercontent.com

Drops file in System32 directory 43 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\organize_poster.jpg.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\msointl30.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\canary.identity_helper.exe.manifest	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\ui-strings.js.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\selector.js.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabimp.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\iheart-radio.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\BlankImage.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gu.pak.DATA.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kk.pak.DATA	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_sr.dll.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll	CoronaVirus.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\PackageManagementDscUtilities.strings.psd1.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ml.pak.DATA	CoronaVirus.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.id-1CE9ADE2.[[email protected]].ncov	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
25764	11120	WerFault.exe	615
13596	13316	WerFault.exe	687
22984	21352	WerFault.exe	921
33736	32120	WerFault.exe	1139
4796	21148	WerFault.exe	1190

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
30492	vssadmin.exe
32080	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
9560	taskkill.exe
10624	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 686385.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 125520.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 464707.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 445983.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 56777.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
1976	msedge.exe
1976	msedge.exe
1544	identity_helper.exe
1544	identity_helper.exe
5384	msedge.exe
5384	msedge.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe
5492	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	31556	vssvc.exe
Token: SeRestorePrivilege	31556	vssvc.exe
Token: SeAuditPrivilege	31556	vssvc.exe
Token: SeDebugPrivilege	9560	taskkill.exe
Token: SeDebugPrivilege	10624	taskkill.exe
Token: 33	10964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	10964	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	14180	Blackkomet.exe
Token: SeSecurityPrivilege	14180	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	14180	Blackkomet.exe
Token: SeLoadDriverPrivilege	14180	Blackkomet.exe
Token: SeSystemProfilePrivilege	14180	Blackkomet.exe
Token: SeSystemtimePrivilege	14180	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	14180	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	14180	Blackkomet.exe
Token: SeCreatePagefilePrivilege	14180	Blackkomet.exe
Token: SeBackupPrivilege	14180	Blackkomet.exe
Token: SeRestorePrivilege	14180	Blackkomet.exe
Token: SeShutdownPrivilege	14180	Blackkomet.exe
Token: SeDebugPrivilege	14180	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	14180	Blackkomet.exe
Token: SeChangeNotifyPrivilege	14180	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	14180	Blackkomet.exe
Token: SeUndockPrivilege	14180	Blackkomet.exe
Token: SeManageVolumePrivilege	14180	Blackkomet.exe
Token: SeImpersonatePrivilege	14180	Blackkomet.exe
Token: SeCreateGlobalPrivilege	14180	Blackkomet.exe
Token: 33	14180	Blackkomet.exe
Token: 34	14180	Blackkomet.exe
Token: 35	14180	Blackkomet.exe
Token: 36	14180	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	8904	winupdate.exe
Token: SeSecurityPrivilege	8904	winupdate.exe
Token: SeTakeOwnershipPrivilege	8904	winupdate.exe
Token: SeLoadDriverPrivilege	8904	winupdate.exe
Token: SeSystemProfilePrivilege	8904	winupdate.exe
Token: SeSystemtimePrivilege	8904	winupdate.exe
Token: SeProfSingleProcessPrivilege	8904	winupdate.exe
Token: SeIncBasePriorityPrivilege	8904	winupdate.exe
Token: SeCreatePagefilePrivilege	8904	winupdate.exe
Token: SeBackupPrivilege	8904	winupdate.exe
Token: SeRestorePrivilege	8904	winupdate.exe
Token: SeShutdownPrivilege	8904	winupdate.exe
Token: SeDebugPrivilege	8904	winupdate.exe
Token: SeSystemEnvironmentPrivilege	8904	winupdate.exe
Token: SeChangeNotifyPrivilege	8904	winupdate.exe
Token: SeRemoteShutdownPrivilege	8904	winupdate.exe
Token: SeUndockPrivilege	8904	winupdate.exe
Token: SeManageVolumePrivilege	8904	winupdate.exe
Token: SeImpersonatePrivilege	8904	winupdate.exe
Token: SeCreateGlobalPrivilege	8904	winupdate.exe
Token: 33	8904	winupdate.exe
Token: 34	8904	winupdate.exe
Token: 35	8904	winupdate.exe
Token: 36	8904	winupdate.exe
Token: SeIncreaseQuotaPrivilege	3884	winupdate.exe
Token: SeSecurityPrivilege	3884	winupdate.exe
Token: SeTakeOwnershipPrivilege	3884	winupdate.exe
Token: SeLoadDriverPrivilege	3884	winupdate.exe
Token: SeSystemProfilePrivilege	3884	winupdate.exe
Token: SeSystemtimePrivilege	3884	winupdate.exe
Token: SeProfSingleProcessPrivilege	3884	winupdate.exe
Token: SeIncBasePriorityPrivilege	3884	winupdate.exe
Token: SeCreatePagefilePrivilege	3884	winupdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3812	1976	msedge.exe	83
PID 1976 wrote to memory of 3812	1976	msedge.exe	83
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4828	1976	msedge.exe	84
PID 1976 wrote to memory of 4508	1976	msedge.exe	85
PID 1976 wrote to memory of 4508	1976	msedge.exe	85
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86
PID 1976 wrote to memory of 208	1976	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
20056	attrib.exe
23136	attrib.exe
27796	attrib.exe
27632	attrib.exe
22768	attrib.exe
5672	attrib.exe
27752	attrib.exe
31160	attrib.exe
15136	attrib.exe
18936	attrib.exe
21340	attrib.exe
5344	attrib.exe
3140	attrib.exe
8740	attrib.exe
19824	attrib.exe
15784	attrib.exe
13708	attrib.exe
23588	attrib.exe
16456	attrib.exe
6956	attrib.exe
3128	attrib.exe
11704	attrib.exe
10232	attrib.exe
29204	attrib.exe
31456	attrib.exe
19932	attrib.exe
25644	attrib.exe
30004	attrib.exe
19388	attrib.exe
13032	attrib.exe
18116	attrib.exe
7588	attrib.exe
9084	attrib.exe
7552	attrib.exe
10712	attrib.exe
8112	attrib.exe
13240	attrib.exe
11704	attrib.exe
24644	attrib.exe
29176	attrib.exe
19532	attrib.exe
27968	attrib.exe
10688	attrib.exe
24328	attrib.exe
15092	attrib.exe
23440	attrib.exe
17856	attrib.exe
27660	attrib.exe
7520	attrib.exe
4420	attrib.exe
23072	attrib.exe
22148	attrib.exe
32888	attrib.exe
31484	attrib.exe
27712	attrib.exe
28352	attrib.exe
21292	attrib.exe
24484	attrib.exe
21148	attrib.exe
20692	attrib.exe
11900	attrib.exe
24448	attrib.exe
19564	attrib.exe
26524	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceba246f8,0x7ffceba24708,0x7ffceba24718
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5384
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5492
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:5788
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:14392
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:30492
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:30444
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:31228
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:32080
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:30788
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:30852
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  PID:5704
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3308 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:29240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4168
- C:\Users\Admin\Downloads\Popup.exe
  "C:\Users\Admin\Downloads\Popup.exe"
  2⤵
  - Executes dropped EXE
  PID:6540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:17724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:17332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:9984
- C:\Users\Admin\Downloads\Trololo.exe
  "C:\Users\Admin\Downloads\Trololo.exe"
  2⤵
  - Executes dropped EXE
  PID:9288
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:9560
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:10624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:16068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:15524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:15328
- C:\Users\Admin\Downloads\Blackkomet.exe
  "C:\Users\Admin\Downloads\Blackkomet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:14180
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:14576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
    3⤵
    PID:30736
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads" +s +h
    3⤵
    - Views/modifies file attributes
    PID:27968
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:8904
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:27692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:27660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Drops file in System32 directory
      PID:27632
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:3884
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:27296
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Drops file in System32 directory
        
        PID:23052
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Drops file in System32 directory
        
        PID:23032
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:26980
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:26816
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Drops file in System32 directory
        
        PID:26796
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Drops file in System32 directory
        
        PID:26780
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:26528
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:24280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:24292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:24236
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:23276
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:23144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:23072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:23080
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:22720
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:22604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Drops file in System32 directory
        
        PID:22572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Drops file in System32 directory
        
        PID:22544
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        
        PID:22280
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:22216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        
        PID:22160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:22148
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        
        PID:21768
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:21680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        
        PID:21656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        
        PID:21640
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        
        PID:21356
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:21260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        
        PID:21188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Views/modifies file attributes
        
        PID:21148
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        
        PID:20548
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:20640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        
        PID:20700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        13⤵
        Views/modifies file attributes
        
        PID:20692
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        
        PID:20484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:20324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        
        PID:20316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        14⤵
        
        PID:20352
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        
        PID:19992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:19904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        
        PID:19860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        15⤵
        Views/modifies file attributes
        
        PID:19824
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        
        PID:19532
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:19436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:19388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        16⤵
        
        PID:19412
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        
        PID:19148
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:18988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        
        PID:18948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        17⤵
        Sets file to hidden
        
        PID:18956
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        
        PID:18628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:18536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        
        PID:18524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        18⤵
        
        PID:18420
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        
        PID:18196
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:18088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        
        PID:18024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        19⤵
        
        PID:18012
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        
        PID:17772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:17632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        
        PID:17608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        20⤵
        
        PID:17560
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        
        PID:17220
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:17336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        
        PID:17372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        21⤵
        
        PID:17364
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        
        PID:16912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        22⤵
        Sets file to hidden
        
        PID:9036
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        
        PID:14008
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        
        PID:14184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        23⤵
        
        PID:14224
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        
        PID:14644
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:14748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        24⤵
        
        PID:14804
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        
        PID:15252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        25⤵
        
        PID:15292
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:15632
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:15712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        26⤵
        
        PID:15780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:15784
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        26⤵
        
        PID:16044
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:16208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        27⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        27⤵
        
        PID:16248
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        27⤵
        
        PID:16668
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        28⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        28⤵
        Views/modifies file attributes
        
        PID:13708
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        28⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        29⤵
        Sets file to hidden
        
        PID:13284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        29⤵
        Views/modifies file attributes
        
        PID:13240
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        29⤵
        
        PID:12956
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        30⤵
        
        PID:12828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        30⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        30⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:12348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        31⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        31⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        31⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        32⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        32⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        32⤵
        Sets file to hidden
        
        PID:11888
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        32⤵
        
        PID:27716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        33⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        33⤵
        Views/modifies file attributes
        
        PID:10232
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        33⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        34⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        34⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        34⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:14064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        35⤵
        Sets file to hidden
        
        PID:21476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        35⤵
        
        PID:13236
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        35⤵
        
        PID:33360
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        36⤵
        
        PID:32980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        36⤵
        Views/modifies file attributes
        
        PID:32888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        36⤵
        
        PID:32836
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        36⤵
        
        PID:13836
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:14736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        37⤵
        Sets file to hidden
        
        PID:15016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        37⤵
        Views/modifies file attributes
        
        PID:15092
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        37⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        38⤵
        
        PID:24564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        38⤵
        
        PID:25444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        38⤵
        
        PID:25476
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        38⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        39⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        39⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        39⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        40⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        40⤵
        Sets file to hidden
        
        PID:6028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        40⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        40⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        41⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        41⤵
        Sets file to hidden
        
        PID:6224
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        41⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        42⤵
        
        PID:31760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        42⤵
        
        PID:32732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        42⤵
        
        PID:31216
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        42⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        43⤵
        
        PID:13504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        43⤵
        Sets file to hidden
        
        PID:13736
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        43⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        44⤵
        
        PID:21012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        44⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        44⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        44⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        45⤵
        Sets file to hidden
        
        PID:20928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        45⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        45⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        46⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        46⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        46⤵
        
        PID:23192
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        46⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        47⤵
        
        PID:31728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        47⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        47⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        48⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        48⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        48⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        48⤵
        
        PID:23840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:29016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        49⤵
        Views/modifies file attributes
        
        PID:31484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        49⤵
        
        PID:24020
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        49⤵
        
        PID:23492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        50⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        50⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        50⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        50⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        51⤵
        Views/modifies file attributes
        
        PID:7588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        51⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        51⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        52⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        52⤵
        
        PID:26680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        52⤵
        
        PID:26708
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        52⤵
        
        PID:29164
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        53⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        53⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        53⤵
        Sets file to hidden
        
        PID:32620
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        53⤵
        
        PID:25240
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        54⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        54⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        54⤵
        Views/modifies file attributes
        
        PID:6956
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        54⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        55⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        55⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        55⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        55⤵
        
        PID:28780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        56⤵
        
        PID:29060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        56⤵
        Sets file to hidden
        
        PID:29116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        56⤵
        Views/modifies file attributes
        
        PID:29204
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        56⤵
        
        PID:31932
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        57⤵
        
        PID:23912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        57⤵
        
        PID:23960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        57⤵
        
        PID:24004
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        57⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        58⤵
        
        PID:24568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        58⤵
        
        PID:25032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        58⤵
        
        PID:25056
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        58⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        59⤵
        
        PID:14428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        59⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        59⤵
        
        PID:16100
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        59⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        60⤵
        
        PID:25016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        60⤵
        
        PID:14728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        60⤵
        
        PID:33612
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        60⤵
        
        PID:25188
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        61⤵
        
        PID:24156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        61⤵
        
        PID:23992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        61⤵
        
        PID:23976
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        61⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        62⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        62⤵
        Views/modifies file attributes
        
        PID:7552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        62⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        62⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        63⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        63⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        63⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        63⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        64⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        64⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        64⤵
        Views/modifies file attributes
        
        PID:11704
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        64⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        65⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        65⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        65⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        65⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        66⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        66⤵
        Views/modifies file attributes
        
        PID:10688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        66⤵
        Views/modifies file attributes
        
        PID:10712
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        66⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        67⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11120 -s 264
        68⤵
        Program crash
        
        PID:25764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        67⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        67⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        67⤵
        
        PID:25840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        68⤵
        
        PID:25668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        68⤵
        
        PID:25680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        68⤵
        
        PID:25976
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        68⤵
        
        PID:26140
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        69⤵
        
        PID:26248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        69⤵
        Sets file to hidden
        
        PID:26260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        69⤵
        
        PID:26336
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        69⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        70⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        70⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        70⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        70⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        71⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        71⤵
        Views/modifies file attributes
        
        PID:11900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        71⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        71⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        72⤵
        
        PID:20520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        72⤵
        
        PID:20592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        72⤵
        Sets file to hidden
        
        PID:20608
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        72⤵
        
        PID:21924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        73⤵
        
        PID:21064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        73⤵
        
        PID:20468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        73⤵
        
        PID:20124
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        73⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        74⤵
        
        PID:12576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        74⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        74⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        74⤵
        
        PID:22744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        75⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        75⤵
        
        PID:23068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        75⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:23136
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        75⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        76⤵
        
        PID:12996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        76⤵
        Views/modifies file attributes
        
        PID:13032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        76⤵
        
        PID:13016
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        76⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        77⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        77⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        77⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        77⤵
        
        PID:13428
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        78⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        78⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        78⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        78⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        79⤵
        
        PID:30972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        79⤵
        
        PID:28248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        79⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        79⤵
        
        PID:18364
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        80⤵
        
        PID:18188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        80⤵
        
        PID:18164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        80⤵
        Views/modifies file attributes
        
        PID:18116
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        80⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        81⤵
        
        PID:14096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        81⤵
        Sets file to hidden
        
        PID:13988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        81⤵
        
        PID:13620
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        81⤵
        
        PID:15388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        82⤵
        
        PID:15820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        82⤵
        
        PID:15944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        82⤵
        
        PID:15920
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        82⤵
        
        PID:16580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        83⤵
        
        PID:18132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        83⤵
        
        PID:18008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        83⤵
        
        PID:18056
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        83⤵
        
        PID:17440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        84⤵
        
        PID:17232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        84⤵
        
        PID:17180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        84⤵
        Sets file to hidden
        
        PID:17132
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        84⤵
        
        PID:18268
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        85⤵
        
        PID:19580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        85⤵
        
        PID:19636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        85⤵
        
        PID:18688
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        85⤵
        
        PID:19176
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        86⤵
        
        PID:20364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        86⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:19564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        86⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:19932
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        86⤵
        
        PID:21508
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        87⤵
        
        PID:18788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        87⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:23588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        87⤵
        Sets file to hidden
        
        PID:23612
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        87⤵
        
        PID:24284
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        88⤵
        
        PID:24556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        88⤵
        Sets file to hidden
        
        PID:24708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        88⤵
        Views/modifies file attributes
        
        PID:24644
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        88⤵
        
        PID:25156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        89⤵
        
        PID:25588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        89⤵
        Views/modifies file attributes
        
        PID:25644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        89⤵
        
        PID:25684
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        89⤵
        
        PID:26196
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        90⤵
        
        PID:26428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        90⤵
        Views/modifies file attributes
        
        PID:26524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        90⤵
        
        PID:26944
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        90⤵
        
        PID:27388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        91⤵
        
        PID:27604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        91⤵
        Views/modifies file attributes
        
        PID:27712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        91⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:27752
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        91⤵
        
        PID:27864
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        92⤵
        
        PID:19344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        92⤵
        
        PID:19668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        92⤵
        
        PID:19120
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        92⤵
        
        PID:28804
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        93⤵
        
        PID:29608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        93⤵
        
        PID:29684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        93⤵
        
        PID:29672
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        93⤵
        
        PID:31060
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        94⤵
        
        PID:30748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        94⤵
        Sets file to hidden
        
        PID:30704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        94⤵
        
        PID:30640
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        94⤵
        
        PID:31404
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        95⤵
        
        PID:31604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        95⤵
        
        PID:31700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        95⤵
        Sets file to hidden
        
        PID:31736
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        95⤵
        
        PID:32288
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        96⤵
        
        PID:32504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        96⤵
        
        PID:32556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        96⤵
        
        PID:32568
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        96⤵
        
        PID:33116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        97⤵
        
        PID:33352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        97⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        97⤵
        Sets file to hidden
        
        PID:18844
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        97⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        98⤵
        
        PID:27500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        98⤵
        Views/modifies file attributes
        
        PID:27796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        98⤵
        
        PID:27776
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        98⤵
        
        PID:28040
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        99⤵
        
        PID:27440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        99⤵
        
        PID:27788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        99⤵
        Sets file to hidden
        
        PID:27820
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        99⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        100⤵
        
        PID:32380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        100⤵
        
        PID:32260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        100⤵
        
        PID:31988
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        100⤵
        
        PID:31096
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        101⤵
        
        PID:29620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        101⤵
        
        PID:29664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        101⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        101⤵
        
        PID:20276
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        102⤵
        
        PID:29964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        102⤵
        
        PID:30028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        102⤵
        Views/modifies file attributes
        
        PID:30004
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        102⤵
        
        PID:20744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        103⤵
        
        PID:20568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        103⤵
        
        PID:19940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        103⤵
        
        PID:19872
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        103⤵
        
        PID:20212
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        104⤵
        
        PID:20616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        104⤵
        Views/modifies file attributes
        
        PID:18936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        104⤵
        
        PID:18912
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        104⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        105⤵
        
        PID:28212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        105⤵
        
        PID:28164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        105⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        105⤵
        
        PID:22124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        106⤵
        
        PID:24868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        106⤵
        Sets file to hidden
        
        PID:24936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        106⤵
        Sets file to hidden
        
        PID:24964
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        106⤵
        
        PID:27460
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        107⤵
        
        PID:32944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        107⤵
        Sets file to hidden
        
        PID:33032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        107⤵
        
        PID:33324
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        107⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        108⤵
        
        PID:29264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        108⤵
        Views/modifies file attributes
        
        PID:29176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        108⤵
        
        PID:29112
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        108⤵
        
        PID:28608
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        109⤵
        
        PID:28416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        109⤵
        
        PID:28392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        109⤵
        Views/modifies file attributes
        
        PID:28352
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        109⤵
        
        PID:21588
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        110⤵
        
        PID:21352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 21352 -s 84
        111⤵
        Program crash
        
        PID:22984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        110⤵
        Views/modifies file attributes
        
        PID:21292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        110⤵
        
        PID:22116
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        110⤵
        
        PID:23188
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        111⤵
        
        PID:23396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        111⤵
        Views/modifies file attributes
        
        PID:23440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        111⤵
        
        PID:23580
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        111⤵
        
        PID:24360
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        112⤵
        
        PID:24184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        112⤵
        
        PID:24112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        112⤵
        
        PID:24084
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        112⤵
        
        PID:25276
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        113⤵
        
        PID:25508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        113⤵
        
        PID:25544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        113⤵
        Sets file to hidden
        
        PID:25616
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        113⤵
        
        PID:26156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        114⤵
        
        PID:26368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        114⤵
        Sets file to hidden
        
        PID:26396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        114⤵
        
        PID:26500
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        114⤵
        
        PID:27028
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        115⤵
        
        PID:32652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        115⤵
        
        PID:27892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        115⤵
        Sets file to hidden
        
        PID:27876
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        115⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        116⤵
        
        PID:30420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        116⤵
        
        PID:28128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        116⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        116⤵
        
        PID:29744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        117⤵
        
        PID:30016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        117⤵
        
        PID:30064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        117⤵
        Sets file to hidden
        
        PID:30192
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        117⤵
        
        PID:272
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        118⤵
        
        PID:32280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        118⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        118⤵
        
        PID:30572
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        118⤵
        
        PID:32520
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        119⤵
        
        PID:32544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        119⤵
        Sets file to hidden
        
        PID:8848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        119⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        119⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        120⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        120⤵
        Sets file to hidden
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        120⤵
        Views/modifies file attributes
        
        PID:4420
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        120⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        121⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        121⤵
        
        PID:30488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        121⤵
        
        PID:33524
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        121⤵
        
        PID:32036
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        122⤵
        
        PID:31896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        122⤵
        Views/modifies file attributes
        
        PID:31456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        122⤵
        
        PID:30852
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        122⤵
        
        PID:31848
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        123⤵
        
        PID:31220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        123⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        123⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        123⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        124⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        124⤵
        Sets file to hidden
        
        PID:232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        124⤵
        
        PID:32760
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        124⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        125⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        125⤵
        Views/modifies file attributes
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        125⤵
        Views/modifies file attributes
        
        PID:3128
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        125⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        126⤵
        
        PID:30228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        126⤵
        
        PID:30108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        126⤵
        
        PID:30544
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        126⤵
        
        PID:29812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        127⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        127⤵
        
        PID:33280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        127⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        127⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        128⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        128⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        128⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        128⤵
        
        PID:14328
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        129⤵
        
        PID:28752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        129⤵
        
        PID:29256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        129⤵
        
        PID:29048
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        129⤵
        
        PID:28320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        130⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        130⤵
        Views/modifies file attributes
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        130⤵
        
        PID:30724
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        130⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        131⤵
        
        PID:936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        131⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        131⤵
        Sets file to hidden
        
        PID:3512
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        131⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        132⤵
        
        PID:32900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        132⤵
        Views/modifies file attributes
        
        PID:31160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        132⤵
        
        PID:24692
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        132⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        133⤵
        
        PID:17972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        133⤵
        
        PID:31300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        133⤵
        
        PID:17956
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        133⤵
        
        PID:29464
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        134⤵
        
        PID:16544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        134⤵
        
        PID:17332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        134⤵
        Views/modifies file attributes
        
        PID:16456
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        134⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        135⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        135⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        135⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        135⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        136⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        136⤵
        
        PID:31824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        136⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        136⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        137⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        137⤵
        
        PID:32792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        137⤵
        
        PID:32600
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        137⤵
        
        PID:28716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        138⤵
        
        PID:17020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        138⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        138⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        138⤵
        
        PID:17656
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        139⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        139⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        139⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        139⤵
        
        PID:13344
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        140⤵
        
        PID:15240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        140⤵
        Views/modifies file attributes
        
        PID:15136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        140⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        140⤵
        
        PID:28020
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        141⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        141⤵
        
        PID:33740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        141⤵
        
        PID:33772
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        141⤵
        
        PID:33664
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        142⤵
        
        PID:27508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        142⤵
        
        PID:27180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        142⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:27632
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        142⤵
        
        PID:27016
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        143⤵
        
        PID:26992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        143⤵
        
        PID:27336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        143⤵
        
        PID:19936
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        143⤵
        
        PID:26792
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        144⤵
        
        PID:26760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        144⤵
        
        PID:26984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        144⤵
        
        PID:26860
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        144⤵
        
        PID:26460
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        145⤵
        
        PID:22728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        145⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:22768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        145⤵
        
        PID:22860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:23080
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        145⤵
        
        PID:22300
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        146⤵
        
        PID:22360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        146⤵
        
        PID:22408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        146⤵
        
        PID:22468
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        146⤵
        
        PID:22072
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        147⤵
        
        PID:21584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        147⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:21340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        147⤵
        
        PID:21460
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        147⤵
        
        PID:20924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        148⤵
        
        PID:21068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        148⤵
        
        PID:436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        148⤵
        
        PID:15312
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        148⤵
        
        PID:20812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        149⤵
        
        PID:20548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        149⤵
        
        PID:20256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        149⤵
        Views/modifies file attributes
        
        PID:20056
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        149⤵
        
        PID:19728
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        150⤵
        
        PID:19600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        150⤵
        
        PID:19772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        150⤵
        
        PID:19612
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        150⤵
        
        PID:19388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        151⤵
        
        PID:19536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        151⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:19532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        151⤵
        
        PID:18868
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        151⤵
        
        PID:19076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        152⤵
        
        PID:18208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        152⤵
        
        PID:18256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        152⤵
        
        PID:18280
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        152⤵
        
        PID:18016
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        153⤵
        
        PID:18000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        153⤵
        
        PID:17832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        153⤵
        Views/modifies file attributes
        
        PID:17856
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        153⤵
        
        PID:17688
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        154⤵
        
        PID:17388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        154⤵
        
        PID:16936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        154⤵
        
        PID:16948
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        154⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        155⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        155⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        155⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        155⤵
        
        PID:14528
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        156⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        156⤵
        
        PID:14796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        156⤵
        Sets file to hidden
        
        PID:15044
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        156⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        157⤵
        
        PID:15424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        157⤵
        
        PID:15400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        157⤵
        
        PID:15384
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        157⤵
        
        PID:15964
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        158⤵
        
        PID:15948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        158⤵
        
        PID:16316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        158⤵
        
        PID:16284
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        158⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        159⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        159⤵
        
        PID:13544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        159⤵
        Sets file to hidden
        
        PID:13708
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        159⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        160⤵
        
        PID:13408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        160⤵
        
        PID:13156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        160⤵
        
        PID:13404
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        160⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        161⤵
        
        PID:12056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        161⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        161⤵
        Sets file to hidden
        
        PID:12192
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        161⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        162⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        162⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        162⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        162⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        163⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        163⤵
        Sets file to hidden
        
        PID:8348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        163⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        163⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        164⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        164⤵
        
        PID:33432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        164⤵
        
        PID:33472
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        164⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        165⤵
        
        PID:31556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        165⤵
        
        PID:14516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        165⤵
        
        PID:33156
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        165⤵
        
        PID:15636
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        166⤵
        
        PID:26972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        166⤵
        
        PID:25460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        166⤵
        
        PID:29956
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        166⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        167⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        167⤵
        Sets file to hidden
        
        PID:30464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        167⤵
        
        PID:26088
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        167⤵
        
        PID:21032
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        168⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        168⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        168⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        168⤵
        
        PID:32892
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        169⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        169⤵
        Sets file to hidden
        
        PID:11932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        169⤵
        
        PID:12568
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        169⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        170⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        170⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        170⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        170⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        171⤵
        
        PID:24432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        171⤵
        Views/modifies file attributes
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        171⤵
        Sets file to hidden
        
        PID:12096
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        171⤵
        
        PID:12228
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        172⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        172⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:24448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        172⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        172⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        173⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        173⤵
        
        PID:23848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        173⤵
        
        PID:23808
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        173⤵
        
        PID:31484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        174⤵
        
        PID:25364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        174⤵
        Sets file to hidden
        
        PID:23404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        174⤵
        
        PID:16320
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        174⤵
        
        PID:26432
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        175⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        175⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        175⤵
        Views/modifies file attributes
        
        PID:8740
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        175⤵
        
        PID:29268
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        176⤵
        
        PID:26776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        176⤵
        
        PID:28892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        176⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        176⤵
        
        PID:31712
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        177⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        177⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        177⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        177⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        178⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        178⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        178⤵
        
        PID:28396
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        178⤵
        
        PID:31648
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        179⤵
        
        PID:28780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        179⤵
        Views/modifies file attributes
        
        PID:24328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        179⤵
        Views/modifies file attributes
        
        PID:24484
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        179⤵
        
        PID:24588
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        180⤵
        
        PID:24544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        180⤵
        
        PID:24684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        180⤵
        
        PID:24540
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        180⤵
        
        PID:16100
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        181⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        181⤵
        
        PID:24832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        181⤵
        
        PID:33080
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        181⤵
        
        PID:17260
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        182⤵
        
        PID:28852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        182⤵
        
        PID:23992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        182⤵
        
        PID:31352
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        182⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        183⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        183⤵
        Views/modifies file attributes
        
        PID:7520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        183⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        183⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        184⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        184⤵
        Views/modifies file attributes
        
        PID:11704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        184⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        184⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        185⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        185⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        185⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        185⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        186⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        186⤵
        
        PID:25776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        186⤵
        
        PID:25480
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        186⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        187⤵
        
        PID:26044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        187⤵
        
        PID:25904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        187⤵
        
        PID:25612
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        187⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        188⤵
        
        PID:25336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        188⤵
        
        PID:26376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        188⤵
        
        PID:26352
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        188⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        189⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        189⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        189⤵
        Sets file to hidden
        
        PID:12100
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        189⤵
        
        PID:17448
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        190⤵
        
        PID:12840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        190⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        190⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        190⤵
        
        PID:20784
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        191⤵
        
        PID:12468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        191⤵
        Sets file to hidden
        
        PID:22208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        191⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        191⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        192⤵
        
        PID:22480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        192⤵
        
        PID:12640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        192⤵
        
        PID:12544
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        192⤵
        
        PID:23232
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        193⤵
        
        PID:30668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        193⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        193⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        193⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        194⤵
        
        PID:13684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        194⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        194⤵
        Sets file to hidden
        
        PID:13892
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        194⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        195⤵
        
        PID:14028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        195⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        194⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        193⤵
        
        PID:13996
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        192⤵
        
        PID:22812
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        191⤵
        
        PID:22536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        190⤵
        
        PID:20752
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        189⤵
        
        PID:15952
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        188⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        187⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        186⤵
        
        PID:26004
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        185⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        184⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        183⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        182⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        181⤵
        
        PID:24764
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        180⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        179⤵
        
        PID:25040
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        178⤵
        
        PID:29412
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        177⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        176⤵
        
        PID:13616
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        175⤵
        
        PID:29188
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        174⤵
        
        PID:25008
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        173⤵
        
        PID:23380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        172⤵
        
        PID:32796
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        171⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        170⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        169⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        168⤵
        
        PID:32452
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        167⤵
        
        PID:13540
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        166⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        165⤵
        
        PID:15608
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        164⤵
        
        PID:32836
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        163⤵
        
        PID:21396
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        162⤵
        
        PID:27668
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        161⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        160⤵
        
        PID:12932
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        159⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        158⤵
        
        PID:13624
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        157⤵
        
        PID:15900
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        156⤵
        
        PID:15420
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        155⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        154⤵
        
        PID:13992
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        153⤵
        
        PID:17744
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        152⤵
        
        PID:17784
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        151⤵
        
        PID:18544
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        150⤵
        
        PID:19224
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        149⤵
        
        PID:19784
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        148⤵
        
        PID:20868
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        147⤵
        
        PID:21148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 21148 -s 360
        148⤵
        Program crash
        
        PID:4796
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        146⤵
        
        PID:22088
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        145⤵
        
        PID:22544
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        144⤵
        
        PID:26516
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        143⤵
        
        PID:26588
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        142⤵
        
        PID:23052
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        141⤵
        
        PID:24504
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        140⤵
        
        PID:32120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 32120 -s 160
        141⤵
        Program crash
        
        PID:33736
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        139⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        138⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        137⤵
        
        PID:28660
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        136⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        135⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        134⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        133⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        132⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        131⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        130⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        129⤵
        
        PID:28440
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        128⤵
        
        PID:14244
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        127⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        126⤵
        
        PID:29660
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        125⤵
        
        PID:30568
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        124⤵
        
        PID:928
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        123⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        122⤵
        
        PID:30940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        121⤵
        
        PID:32408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        120⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        119⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        118⤵
        
        PID:18900
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        117⤵
        
        PID:31232
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        116⤵
        
        PID:29752
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        115⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        114⤵
        
        PID:33104
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        113⤵
        
        PID:26164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        112⤵
        
        PID:25340
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        111⤵
        
        PID:24356
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        110⤵
        
        PID:23240
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        109⤵
        
        PID:21552
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        108⤵
        
        PID:28592
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        107⤵
        
        PID:29416
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        106⤵
        
        PID:27496
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        105⤵
        
        PID:22172
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        104⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        103⤵
        
        PID:20476
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        102⤵
        
        PID:20728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        101⤵
        
        PID:20164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        100⤵
        
        PID:30596
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        99⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        98⤵
        
        PID:28364
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        97⤵
        
        PID:24192
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        96⤵
        
        PID:33216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        95⤵
        
        PID:32296
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        94⤵
        
        PID:31364
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        93⤵
        
        PID:31004
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        92⤵
        
        PID:29420
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        91⤵
        
        PID:19016
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        90⤵
        
        PID:27444
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        89⤵
        
        PID:26244
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        88⤵
        
        PID:25132
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        87⤵
        
        PID:24324
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        86⤵
        
        PID:21520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        85⤵
        
        PID:18940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        84⤵
        
        PID:18520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        83⤵
        
        PID:17412
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        82⤵
        
        PID:16512
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        81⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        80⤵
        
        PID:14408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        79⤵
        
        PID:18360
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        78⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        77⤵
        
        PID:13400
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        76⤵
        
        PID:13316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13316 -s 152
        77⤵
        Program crash
        
        PID:13596
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        75⤵
        
        PID:12868
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        74⤵
        
        PID:22776
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        73⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        72⤵
        
        PID:22024
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        71⤵
        
        PID:18568
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        70⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        69⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        68⤵
        
        PID:26188
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        67⤵
        
        PID:25788
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        66⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        65⤵
        
        PID:24296
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        64⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        63⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        62⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        61⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        60⤵
        
        PID:25152
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        59⤵
        
        PID:24672
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        58⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        57⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        56⤵
        
        PID:32312
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        55⤵
        
        PID:28788
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        54⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        53⤵
        
        PID:25172
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        52⤵
        
        PID:29300
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        51⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        50⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        49⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        48⤵
        
        PID:23868
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        47⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        46⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        45⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        44⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        43⤵
        
        PID:28956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        42⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        41⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        40⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        39⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        38⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        37⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        36⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        35⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        34⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        33⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        32⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        31⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        30⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        29⤵
        
        PID:12924
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        28⤵
        
        PID:13448
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        27⤵
        
        PID:16604
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        26⤵
        
        PID:16056
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        25⤵
        
        PID:15664
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        24⤵
        
        PID:15180
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        23⤵
        
        PID:14660
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        22⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        21⤵
        
        PID:16920
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        20⤵
        
        PID:17212
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        19⤵
        
        PID:17752
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        18⤵
        
        PID:18152
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        17⤵
        
        PID:18612
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        16⤵
        
        PID:19092
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        15⤵
        
        PID:19520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        14⤵
        
        PID:20112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        13⤵
        
        PID:20408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        12⤵
        
        PID:20540
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        11⤵
        
        PID:21228
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        10⤵
        
        PID:21780
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        9⤵
        
        PID:22264
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        8⤵
        
        PID:22700
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        7⤵
        
        PID:23284
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        
        PID:26508
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        
        PID:26976
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      PID:5184
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    PID:9056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:31556

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6b649691dd2546e297fe494cf22b49f4 /t 30900 /p 30852
1⤵
PID:32400

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\099ae6b342bd454b89735f063ec4ffd4 /t 30796 /p 30788
1⤵
PID:31812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:10964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 11120 -ip 11120
1⤵
PID:25752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 13316 -ip 13316
1⤵
PID:9436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 21352 -ip 21352
1⤵
PID:22352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 32120 -ip 32120
1⤵
PID:27996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 21148 -ip 21148
1⤵
PID:14768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-1CE9ADE2.[[email protected]].ncov

Filesize
2.7MB

MD5
b7d833d9ada85d34b27c174adc1a5150

SHA1
2660d454852957f681f87f077420445a2491b394

SHA256
87660267bbd15375ec5f47bebeab99af6818d36f165247f6d40eb2e7f60cf117

SHA512
edc5a555a69cfecdae217d7d8151c806fc60d870b164c8116c8622edbd838b69dbaa96138aac78e3cbb04783f72e5b61dacb8ae6417675d512cf8cedb16065c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
3.0MB

MD5
b6d61b516d41e209b207b41d91e3b90d

SHA1
e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

SHA256
3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

SHA512
3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
328b0cc5237f1d12e3f86c6071f09174

SHA1
919685fe666b4ac5b6f74219c91dc2a139518645

SHA256
311af3399c7c945ea0bfade771c7740b854e4cc575635c38dc705b082a749077

SHA512
4400b00f7b837193bd864be0b7ce92bb87d37421186783ff36e7f4de5ec8e3d477032471b4e82039a70149755089092db490919bc22c44b0ced2238729af06f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
7ac37464384ee7179ac68d1e99242b2d

SHA1
4ee441656cca629a32015adecc58aee62ae1f653

SHA256
e1ccebabefc990c0bc44376e9070301b5f1d57ed0260c81c4e78136e66fe2690

SHA512
ff6a8d9db51b9abeeceb69d251f38ccab6be5b670c193cab2f2b60292f5c66016db516980f14848021dbdb6e1933712d588fd3eafa7a7a36fd1657a3b55b3db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe594c70.TMP

Filesize
579B

MD5
5613f5ab886cc1ce42bc8b34123df98c

SHA1
1ef00f63038f992470abd0d530e1033b076e676c

SHA256
0a63b79dda73fb0d7941488e73455bbf96e5f1c3df920c93a959605ad8445d16

SHA512
55c098634c4457091724a69d2a15bba1c59bee26faa0b27c3e58e8de2cee808db4493847306a2ddfeaec3dce72d21f4b2d1dcedf1895fe64ca9a3cd07daf3a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
573c1ad3eca415f6488ab29e37cff027

SHA1
72b10b37335d8179c61c43687497bae8af2b5096

SHA256
ee48c0b706934d37d086ffcd65ee4d236df76cf5d109a392c536bf9096dbb68c

SHA512
27b21e2a71ed389c4849bb035b3db3eea77c5a9c17bdb86e636e613cbb871a791fce77d611d6a7bf04e8cc34884827128005d452c8f22531a880ff0523e40f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70a21823744eec3e1648ef13d4084e5c

SHA1
61bacd2a80bc3fd06bf18e5b89932786552b3be4

SHA256
32cf21afa22384445e08d1f50623799f1a16a7ac95f476c78d65a9db3924be91

SHA512
10fd884d5128d175e81fee206ce3db35c106196091a8678fc5fc2382886f838c32f7bd817820a4d2d0bef5d8df85812dfde85402589ecef62c158e0b687cde1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e664f8112e6571241b3f5286803a3ebd

SHA1
4aee0dbb0d6fe216bf11d5a8e58e247560babb8f

SHA256
7a21fb5a6fa634a0cd014d17a5e1988e6a7d8e9fe1e3b9f19809e230d06aa464

SHA512
14df1a5b78c608c1e8a263778be2f33858010b49d0b066c3aaf339af3f3305f23548a7816eca253ca81c64aed65786a09f58c5870a0c4858124437a39ecebfc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1547a875625bc4cb641004cfd3dd1687

SHA1
d608a7fca27dff97842e108e2c67ffa95bb974ac

SHA256
cac9321d96ce74527d534d4ef3997ed3b248ae6436a03a73afa96b97cf42efb1

SHA512
5d7887f771e659ea98a02f35f718a1401c7b34740804963b47741587b8d7c7020b8b7d9d1add078239fa30132d9a237b9321514eabb363c008b77f3f45e690c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e42e203cf6713ca416e2f507788761a

SHA1
ab271290d27ae2f0524db18c207b38b1825fce5f

SHA256
9bbbc5bce9aefea420f63157ecbbaf33a5712809b606562e253e6029899c1a00

SHA512
160e205804d7df0a51f27962568e06502e8426fe1223af62660380065dd553025c9defba91cfb3af0e4f6302a69ea28a672f701f456d5ce582bdaa418b20fafc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b93724c8a21913f3ba094f61e078833

SHA1
c16c8839a82ba18072d3603b8ee873b2968b3d82

SHA256
40878a4b915849b6de78fa903508440e3554c25bc2c1c3b7a80fc96b5c9ab315

SHA512
4bf8cf54db4bc63ea53edaaed0876a4f07f32471277cdc39df6beb232748c8cf141dba9bfecc7d67b84d7e17e34d9fff9b7b835585f2e6f39863debe51e527c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
220be2bea417ccbc62ecebc20b4194f6

SHA1
82a0f00191bfa7a6b2a1ebcbc27e2cbee0b4b336

SHA256
bab17cd13506a63c5ab0b99f0544e00a5e0652acf61a77f9b383db03127e0728

SHA512
19662dbb7e7a27ec3f148c4066e94ae17221dd686292c1462262b7d34f9795e96365bf2e3571479c188c0221ac4ee4f80124a48c8af03d6e1b05be11e4b6b5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
24a725156620fc538a1a43c732085e38

SHA1
cf312cecfb2f4603f5514bde7b69ef80de6e029d

SHA256
47d29e208f99613adbcadc9e091dbe3a27d48d4f4e543138c0be583553608a35

SHA512
280fa78ad52811166144589f8642b966dd846e5ad62f34a4dc6ca092a1202042a6aa786f4b55f5b1721c21ac0459efc48cf7eb741e9ef6217913ecd61a9b3d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59066f.TMP

Filesize
1KB

MD5
c77cfd2a6cabaf1faca757059c09a331

SHA1
32bd071bec63afdb14965d67572080c769939276

SHA256
301c19ea4819271d1816c13bd41c47c135e3692cc552fed2b3ee2f04aa33d447

SHA512
fd8f78337c3c5e0ccf79c39311872776429b46a0856a6467aa3028217e5dce3d163e308c24d985d1619503d397f0504d740a52349410caef692111036147658a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d849bbe135be1210a44e9f8fe031342f

SHA1
b64adf3038a41c484508c4249af11d2f05997cc4

SHA256
54efb11c2cc04141854d4c11e58790ca05af665b66c732b60b4233d23a5467bd

SHA512
6896305ca68f3b438f9c0510ac155fd3ec4aea4fcb682710145eed6c525b181b395c8b41c9d674bf1f6ebb49d8beb89b57d225cd826a5acb9fd446e93089c872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5cf0663365e8b5863d38f25eb85c1ea8

SHA1
43749efe1f8bcdd12e1567585afa31aa84444170

SHA256
fdd5483dea46ff29c62cde8cd38ab3f9731f329eb33bde7699c231d8ef068f00

SHA512
705a68ad0c77f30d83d6d9feb123e382ef2f2f97ef30f229b6e762b04d5c14c458eec1d3be939814f9113bfd7ad68b2b130bb4cb16c1cd4881efd2e5fad9d39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c4c662105a23cd761e9ea8b4970bc6ea

SHA1
9e4db0e0f05c1c192f454d2347ffa89bf622d4f8

SHA256
14e32376e3e411b4b252c63198770689efcba42ee28b754cb0e3ada04775c9bf

SHA512
3efda3d8759dbecda64e962c258694f96f1f13459e7fecf2bfc297e4633b53773843490a4b4e9e73aa3aa19c68bea13ae511cc600c194a848b4ad49d41efba23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7f966056a81f2e241f315946016e3104

SHA1
60967279a958cb1cf445648b4f50c91b0c947669

SHA256
6401900d80a40a23b36e42af81d374bcd5e3bd5251c900852872a71647c16e2c

SHA512
1e4e88bfa350636d5e0c98e75897bd5a5eb31b19ebfdb6d2e0a9b49b5b2eff1b1aba677b480846ba3a52ab39fac82c8a0e7a7e2a6d8229b086a370f2dd5a5e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dd614a334e2d9bb7efe861d1684df392

SHA1
982c90daeebb2b7aa9ebe61d8cdffb22109005c9

SHA256
a78a3b4fa390e1e99a1d92946d789ddfef2bd1dfd5af0b177a3408e7f476bb7b

SHA512
4411697d488fb6b2bd71d91fad749c1c0e17315b5f9ed26cffd7333c82179e64853186e4bb2d4ed5a83588a918632ccca27a83cc3657e36819897bbb8c7f0ddd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 125520.crdownload

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 464707.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 56777.crdownload

Filesize
373KB

MD5
9c3e9e30d51489a891513e8a14d931e4

SHA1
4e5a5898389eef8f464dee04a74f3b5c217b7176

SHA256
f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

SHA512
bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
memory/3884-25378-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5492-223-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5492-199-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5492-7211-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5704-9773-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5704-220-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5704-7897-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5736-222-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5736-9762-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5736-7924-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6540-25196-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/6540-25208-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/6540-25207-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/8904-25375-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/9056-25371-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/9288-25258-0x000000001CDB0000-0x000000001CDFC000-memory.dmp

Filesize
304KB

Download
memory/9288-25257-0x00000000019B0000-0x00000000019B8000-memory.dmp

Filesize
32KB

Download
memory/9288-25256-0x000000001CBA0000-0x000000001CC3C000-memory.dmp

Filesize
624KB

Download
memory/9288-25254-0x000000001BFB0000-0x000000001C056000-memory.dmp

Filesize
664KB

Download
memory/9288-25255-0x000000001C630000-0x000000001CAFE000-memory.dmp

Filesize
4.8MB

Download
memory/14180-25372-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/14576-25339-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/20548-25403-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/21356-25400-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/21768-25397-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/22280-25394-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/22720-25391-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/23276-25388-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/26528-25385-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/26980-25382-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download