Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
230s -
max time network
271s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 21:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
Resource
win10v2004-20240426-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Modifies WinLogon for persistence 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (521) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5628 attrib.exe 29116 attrib.exe 24964 attrib.exe 21340 attrib.exe 11932 attrib.exe 13892 attrib.exe 33032 attrib.exe 12192 attrib.exe 19564 attrib.exe 26396 attrib.exe 232 attrib.exe 3512 attrib.exe 27632 attrib.exe 22208 attrib.exe 23080 attrib.exe 6224 attrib.exe 13736 attrib.exe 30704 attrib.exe 8348 attrib.exe 12100 attrib.exe 9036 attrib.exe 27820 attrib.exe 13708 attrib.exe 23136 attrib.exe 18956 attrib.exe 30464 attrib.exe 22148 attrib.exe 19388 attrib.exe 21476 attrib.exe 23404 attrib.exe 32620 attrib.exe 20608 attrib.exe 18844 attrib.exe 22768 attrib.exe 24292 attrib.exe 12096 attrib.exe 9084 attrib.exe 13284 attrib.exe 27876 attrib.exe 23072 attrib.exe 6028 attrib.exe 23588 attrib.exe 19532 attrib.exe 26260 attrib.exe 31736 attrib.exe 24448 attrib.exe 19932 attrib.exe 5672 attrib.exe 24708 attrib.exe 30192 attrib.exe 11888 attrib.exe 20928 attrib.exe 8848 attrib.exe 23612 attrib.exe 24236 attrib.exe 22160 attrib.exe 15784 attrib.exe 15016 attrib.exe 15044 attrib.exe 13988 attrib.exe 17132 attrib.exe 27752 attrib.exe 24936 attrib.exe 25616 attrib.exe -
resource yara_rule behavioral1/files/0x0004000000021b17-25129.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation CoronaVirus.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Blackkomet.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation winupdate.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe -
Executes dropped EXE 22 IoCs
pid Process 5492 CoronaVirus.exe 5704 CoronaVirus.exe 5736 CoronaVirus.exe 5740 msedge.exe 29240 msedge.exe 11084 msedge.exe 4168 msedge.exe 6540 Popup.exe 17724 msedge.exe 17332 msedge.exe 9984 msedge.exe 9288 Trololo.exe 16068 msedge.exe 15524 msedge.exe 15328 msedge.exe 14180 Blackkomet.exe 8904 winupdate.exe 3884 winupdate.exe 26980 winupdate.exe 26528 winupdate.exe 23276 winupdate.exe 22720 winupdate.exe -
Loads dropped DLL 10 IoCs
pid Process 5740 msedge.exe 29240 msedge.exe 11084 msedge.exe 4168 msedge.exe 17724 msedge.exe 17332 msedge.exe 9984 msedge.exe 16068 msedge.exe 15524 msedge.exe 15328 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 50 raw.githubusercontent.com 58 raw.githubusercontent.com -
Drops file in System32 directory 43 IoCs
description ioc Process File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\organize_poster.jpg.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\msointl30.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\canary.identity_helper.exe.manifest CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\ui-strings.js.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat CoronaVirus.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1 CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\selector.js.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabimp.dll CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\iheart-radio.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\BlankImage.png CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\ui-strings.js CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gu.pak.DATA.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kk.pak.DATA CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_sr.dll.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll CoronaVirus.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\PackageManagementDscUtilities.strings.psd1.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\7z.sfx.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ml.pak.DATA CoronaVirus.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.id-1CE9ADE2.[[email protected]].ncov CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 25764 11120 WerFault.exe 615 13596 13316 WerFault.exe 687 22984 21352 WerFault.exe 921 33736 32120 WerFault.exe 1139 4796 21148 WerFault.exe 1190 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 30492 vssadmin.exe 32080 vssadmin.exe -
Kills process with taskkill 2 IoCs
pid Process 9560 taskkill.exe 10624 taskkill.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 686385.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 125520.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 464707.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 445983.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 56777.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4508 msedge.exe 4508 msedge.exe 1976 msedge.exe 1976 msedge.exe 1544 identity_helper.exe 1544 identity_helper.exe 5384 msedge.exe 5384 msedge.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe 5492 CoronaVirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 31556 vssvc.exe Token: SeRestorePrivilege 31556 vssvc.exe Token: SeAuditPrivilege 31556 vssvc.exe Token: SeDebugPrivilege 9560 taskkill.exe Token: SeDebugPrivilege 10624 taskkill.exe Token: 33 10964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 10964 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 14180 Blackkomet.exe Token: SeSecurityPrivilege 14180 Blackkomet.exe Token: SeTakeOwnershipPrivilege 14180 Blackkomet.exe Token: SeLoadDriverPrivilege 14180 Blackkomet.exe Token: SeSystemProfilePrivilege 14180 Blackkomet.exe Token: SeSystemtimePrivilege 14180 Blackkomet.exe Token: SeProfSingleProcessPrivilege 14180 Blackkomet.exe Token: SeIncBasePriorityPrivilege 14180 Blackkomet.exe Token: SeCreatePagefilePrivilege 14180 Blackkomet.exe Token: SeBackupPrivilege 14180 Blackkomet.exe Token: SeRestorePrivilege 14180 Blackkomet.exe Token: SeShutdownPrivilege 14180 Blackkomet.exe Token: SeDebugPrivilege 14180 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 14180 Blackkomet.exe Token: SeChangeNotifyPrivilege 14180 Blackkomet.exe Token: SeRemoteShutdownPrivilege 14180 Blackkomet.exe Token: SeUndockPrivilege 14180 Blackkomet.exe Token: SeManageVolumePrivilege 14180 Blackkomet.exe Token: SeImpersonatePrivilege 14180 Blackkomet.exe Token: SeCreateGlobalPrivilege 14180 Blackkomet.exe Token: 33 14180 Blackkomet.exe Token: 34 14180 Blackkomet.exe Token: 35 14180 Blackkomet.exe Token: 36 14180 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 8904 winupdate.exe Token: SeSecurityPrivilege 8904 winupdate.exe Token: SeTakeOwnershipPrivilege 8904 winupdate.exe Token: SeLoadDriverPrivilege 8904 winupdate.exe Token: SeSystemProfilePrivilege 8904 winupdate.exe Token: SeSystemtimePrivilege 8904 winupdate.exe Token: SeProfSingleProcessPrivilege 8904 winupdate.exe Token: SeIncBasePriorityPrivilege 8904 winupdate.exe Token: SeCreatePagefilePrivilege 8904 winupdate.exe Token: SeBackupPrivilege 8904 winupdate.exe Token: SeRestorePrivilege 8904 winupdate.exe Token: SeShutdownPrivilege 8904 winupdate.exe Token: SeDebugPrivilege 8904 winupdate.exe Token: SeSystemEnvironmentPrivilege 8904 winupdate.exe Token: SeChangeNotifyPrivilege 8904 winupdate.exe Token: SeRemoteShutdownPrivilege 8904 winupdate.exe Token: SeUndockPrivilege 8904 winupdate.exe Token: SeManageVolumePrivilege 8904 winupdate.exe Token: SeImpersonatePrivilege 8904 winupdate.exe Token: SeCreateGlobalPrivilege 8904 winupdate.exe Token: 33 8904 winupdate.exe Token: 34 8904 winupdate.exe Token: 35 8904 winupdate.exe Token: 36 8904 winupdate.exe Token: SeIncreaseQuotaPrivilege 3884 winupdate.exe Token: SeSecurityPrivilege 3884 winupdate.exe Token: SeTakeOwnershipPrivilege 3884 winupdate.exe Token: SeLoadDriverPrivilege 3884 winupdate.exe Token: SeSystemProfilePrivilege 3884 winupdate.exe Token: SeSystemtimePrivilege 3884 winupdate.exe Token: SeProfSingleProcessPrivilege 3884 winupdate.exe Token: SeIncBasePriorityPrivilege 3884 winupdate.exe Token: SeCreatePagefilePrivilege 3884 winupdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 3812 1976 msedge.exe 83 PID 1976 wrote to memory of 3812 1976 msedge.exe 83 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4828 1976 msedge.exe 84 PID 1976 wrote to memory of 4508 1976 msedge.exe 85 PID 1976 wrote to memory of 4508 1976 msedge.exe 85 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 PID 1976 wrote to memory of 208 1976 msedge.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 64 IoCs
pid Process 20056 attrib.exe 23136 attrib.exe 27796 attrib.exe 27632 attrib.exe 22768 attrib.exe 5672 attrib.exe 27752 attrib.exe 31160 attrib.exe 15136 attrib.exe 18936 attrib.exe 21340 attrib.exe 5344 attrib.exe 3140 attrib.exe 8740 attrib.exe 19824 attrib.exe 15784 attrib.exe 13708 attrib.exe 23588 attrib.exe 16456 attrib.exe 6956 attrib.exe 3128 attrib.exe 11704 attrib.exe 10232 attrib.exe 29204 attrib.exe 31456 attrib.exe 19932 attrib.exe 25644 attrib.exe 30004 attrib.exe 19388 attrib.exe 13032 attrib.exe 18116 attrib.exe 7588 attrib.exe 9084 attrib.exe 7552 attrib.exe 10712 attrib.exe 8112 attrib.exe 13240 attrib.exe 11704 attrib.exe 24644 attrib.exe 29176 attrib.exe 19532 attrib.exe 27968 attrib.exe 10688 attrib.exe 24328 attrib.exe 15092 attrib.exe 23440 attrib.exe 17856 attrib.exe 27660 attrib.exe 7520 attrib.exe 4420 attrib.exe 23072 attrib.exe 22148 attrib.exe 32888 attrib.exe 31484 attrib.exe 27712 attrib.exe 28352 attrib.exe 21292 attrib.exe 24484 attrib.exe 21148 attrib.exe 20692 attrib.exe 11900 attrib.exe 24448 attrib.exe 19564 attrib.exe 26524 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceba246f8,0x7ffceba24708,0x7ffceba247182⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5352 /prefetch:82⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:82⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:82⤵PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5384
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5492 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:5788
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:14392
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:30492
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:30444
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:31228
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:32080
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:30788
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:30852
-
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
PID:5704
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3308 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:29240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4168
-
-
C:\Users\Admin\Downloads\Popup.exe"C:\Users\Admin\Downloads\Popup.exe"2⤵
- Executes dropped EXE
PID:6540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:17724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4544 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:17332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9984
-
-
C:\Users\Admin\Downloads\Trololo.exe"C:\Users\Admin\Downloads\Trololo.exe"2⤵
- Executes dropped EXE
PID:9288 -
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9560
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10624
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:16068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6488 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1536511139768179138,16793525704652015805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15328
-
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:14180 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:14576
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵PID:30736
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Views/modifies file attributes
PID:27968
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:8904 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:27692
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:27660
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Drops file in System32 directory
PID:27632
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3884 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:27296
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Drops file in System32 directory
PID:23052
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Drops file in System32 directory
PID:23032
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:26980 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:26816
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Drops file in System32 directory
PID:26796
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
- Drops file in System32 directory
PID:26780
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:26528 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:24280
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
PID:24292
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
PID:24236
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:23276 -
C:\Windows\SysWOW64\notepad.exenotepad8⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:23144
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:23072
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
PID:23080
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:22720 -
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:22604
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
- Drops file in System32 directory
PID:22572
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
- Drops file in System32 directory
PID:22544
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵PID:22280
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵PID:22216
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
- Sets file to hidden
PID:22160
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:22148
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵PID:21768
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵PID:21680
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵PID:21656
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵PID:21640
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵PID:21356
-
C:\Windows\SysWOW64\notepad.exenotepad12⤵PID:21260
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵PID:21188
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵
- Views/modifies file attributes
PID:21148
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵PID:20548
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵PID:20640
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵PID:20700
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
- Views/modifies file attributes
PID:20692
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵PID:20484
-
C:\Windows\SysWOW64\notepad.exenotepad14⤵PID:20324
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵PID:20316
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵PID:20352
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵PID:19992
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵PID:19904
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵PID:19860
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵
- Views/modifies file attributes
PID:19824
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵PID:19532
-
C:\Windows\SysWOW64\notepad.exenotepad16⤵PID:19436
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:19388
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h16⤵PID:19412
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵PID:19148
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵PID:18988
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h17⤵PID:18948
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h17⤵
- Sets file to hidden
PID:18956
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵PID:18628
-
C:\Windows\SysWOW64\notepad.exenotepad18⤵PID:18536
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h18⤵PID:18524
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h18⤵PID:18420
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵PID:18196
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵PID:18088
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h19⤵PID:18024
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h19⤵PID:18012
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵PID:17772
-
C:\Windows\SysWOW64\notepad.exenotepad20⤵PID:17632
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h20⤵PID:17608
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h20⤵PID:17560
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵PID:17220
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵PID:17336
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h21⤵PID:17372
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h21⤵PID:17364
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵PID:16912
-
C:\Windows\SysWOW64\notepad.exenotepad22⤵PID:9248
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h22⤵PID:9048
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h22⤵
- Sets file to hidden
PID:9036
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵PID:14008
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵PID:14168
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h23⤵PID:14184
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h23⤵PID:14224
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵PID:14644
-
C:\Windows\SysWOW64\notepad.exenotepad24⤵PID:14748
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h24⤵PID:14820
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h24⤵PID:14804
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵PID:15232
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵PID:15216
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h25⤵PID:15252
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h25⤵PID:15292
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵PID:15632
-
C:\Windows\SysWOW64\notepad.exenotepad26⤵PID:15712
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h26⤵PID:15780
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:15784
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵PID:16044
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵PID:16208
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h27⤵PID:16260
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h27⤵PID:16248
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵PID:16668
-
C:\Windows\SysWOW64\notepad.exenotepad28⤵PID:12000
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h28⤵PID:8636
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h28⤵
- Views/modifies file attributes
PID:13708
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵PID:13640
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵PID:13308
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h29⤵
- Sets file to hidden
PID:13284
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h29⤵
- Views/modifies file attributes
PID:13240
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵PID:12956
-
C:\Windows\SysWOW64\notepad.exenotepad30⤵PID:12836
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h30⤵PID:12828
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h30⤵PID:12796
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵PID:12492
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵PID:12348
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h31⤵PID:12380
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h31⤵PID:12404
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵PID:12028
-
C:\Windows\SysWOW64\notepad.exenotepad32⤵PID:11920
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h32⤵PID:11904
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h32⤵
- Sets file to hidden
PID:11888
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵PID:27716
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵PID:10408
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h33⤵PID:10356
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h33⤵
- Views/modifies file attributes
PID:10232
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"33⤵PID:8892
-
C:\Windows\SysWOW64\notepad.exenotepad34⤵PID:8732
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h34⤵PID:8608
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h34⤵PID:8588
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"34⤵PID:2988
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵PID:14064
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h35⤵
- Sets file to hidden
PID:21476
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h35⤵PID:13236
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"35⤵PID:33360
-
C:\Windows\SysWOW64\notepad.exenotepad36⤵PID:32980
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h36⤵
- Views/modifies file attributes
PID:32888
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h36⤵PID:32836
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"36⤵PID:13836
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵PID:14736
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h37⤵
- Sets file to hidden
PID:15016
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h37⤵
- Views/modifies file attributes
PID:15092
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"37⤵PID:10596
-
C:\Windows\SysWOW64\notepad.exenotepad38⤵PID:24564
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h38⤵PID:25444
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h38⤵PID:25476
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"38⤵PID:7356
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵PID:8512
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h39⤵PID:10440
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h39⤵PID:11804
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"39⤵PID:7440
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵PID:6020
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h40⤵
- Sets file to hidden
PID:6028
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h40⤵PID:2672
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"40⤵PID:6376
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵PID:6280
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h41⤵PID:6240
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h41⤵
- Sets file to hidden
PID:6224
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"41⤵PID:5436
-
C:\Windows\SysWOW64\notepad.exenotepad42⤵PID:31760
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h42⤵PID:32732
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h42⤵PID:31216
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"42⤵PID:9772
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵PID:11184
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h43⤵PID:13504
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h43⤵
- Sets file to hidden
PID:13736
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"43⤵PID:13212
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵PID:21012
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h44⤵PID:5972
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h44⤵PID:6000
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"44⤵PID:5348
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵PID:5356
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h45⤵
- Sets file to hidden
PID:20928
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h45⤵PID:4036
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"45⤵PID:5432
-
C:\Windows\SysWOW64\notepad.exenotepad46⤵PID:6528
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h46⤵PID:6576
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h46⤵PID:23192
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"46⤵PID:6492
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵PID:3580
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h47⤵PID:31728
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h47⤵PID:6620
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"47⤵PID:5420
-
C:\Windows\SysWOW64\notepad.exenotepad48⤵PID:6852
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h48⤵PID:6900
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h48⤵PID:6784
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"48⤵PID:23840
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵PID:29016
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h49⤵
- Views/modifies file attributes
PID:31484
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h49⤵PID:24020
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"49⤵PID:23492
-
C:\Windows\SysWOW64\notepad.exenotepad50⤵PID:7228
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h50⤵PID:7232
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h50⤵PID:7244
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"50⤵PID:7400
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵PID:7456
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h51⤵
- Views/modifies file attributes
PID:7588
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h51⤵PID:6832
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"51⤵PID:8716
-
C:\Windows\SysWOW64\notepad.exenotepad52⤵PID:4744
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h52⤵PID:26680
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h52⤵PID:26708
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"52⤵PID:29164
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵PID:6860
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h53⤵PID:3172
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h53⤵
- Sets file to hidden
PID:32620
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"53⤵PID:25240
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵PID:6924
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h54⤵PID:6920
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h54⤵
- Views/modifies file attributes
PID:6956
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"54⤵PID:7080
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵PID:7832
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h55⤵PID:7868
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h55⤵PID:7888
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"55⤵PID:28780
-
C:\Windows\SysWOW64\notepad.exenotepad56⤵PID:29060
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h56⤵
- Sets file to hidden
PID:29116
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h56⤵
- Views/modifies file attributes
PID:29204
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"56⤵PID:31932
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵PID:23912
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h57⤵PID:23960
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h57⤵PID:24004
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"57⤵PID:9316
-
C:\Windows\SysWOW64\notepad.exenotepad58⤵PID:24568
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h58⤵PID:25032
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h58⤵PID:25056
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"58⤵PID:8100
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵PID:14428
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h59⤵PID:15064
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h59⤵PID:16100
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"59⤵PID:9592
-
C:\Windows\SysWOW64\notepad.exenotepad60⤵PID:25016
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h60⤵PID:14728
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h60⤵PID:33612
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"60⤵PID:25188
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵PID:24156
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h61⤵PID:23992
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h61⤵PID:23976
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"61⤵PID:7484
-
C:\Windows\SysWOW64\notepad.exenotepad62⤵PID:7544
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h62⤵
- Views/modifies file attributes
PID:7552
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h62⤵PID:7564
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"62⤵PID:7940
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵PID:8200
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h63⤵PID:8248
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h63⤵PID:8280
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"63⤵PID:8520
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵PID:9024
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h64⤵
- Sets file to hidden
- Views/modifies file attributes
PID:9084
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h64⤵
- Views/modifies file attributes
PID:11704
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"64⤵PID:10124
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵PID:10236
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h65⤵PID:10304
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h65⤵PID:10288
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"65⤵PID:10552
-
C:\Windows\SysWOW64\notepad.exenotepad66⤵PID:10660
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h66⤵
- Views/modifies file attributes
PID:10688
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h66⤵
- Views/modifies file attributes
PID:10712
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"66⤵PID:10988
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵PID:11120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11120 -s 26468⤵
- Program crash
PID:25764
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h67⤵PID:11136
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h67⤵PID:11144
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"67⤵PID:25840
-
C:\Windows\SysWOW64\notepad.exenotepad68⤵PID:25668
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h68⤵PID:25680
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h68⤵PID:25976
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"68⤵PID:26140
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵PID:26248
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h69⤵
- Sets file to hidden
PID:26260
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h69⤵PID:26336
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"69⤵PID:11368
-
C:\Windows\SysWOW64\notepad.exenotepad70⤵PID:11672
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h70⤵PID:11624
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h70⤵PID:11616
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"70⤵PID:12848
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵PID:11856
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h71⤵
- Views/modifies file attributes
PID:11900
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h71⤵PID:11884
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"71⤵PID:14840
-
C:\Windows\SysWOW64\notepad.exenotepad72⤵PID:20520
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h72⤵PID:20592
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h72⤵
- Sets file to hidden
PID:20608
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"72⤵PID:21924
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵PID:21064
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h73⤵PID:20468
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h73⤵PID:20124
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"73⤵PID:12456
-
C:\Windows\SysWOW64\notepad.exenotepad74⤵PID:12576
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h74⤵PID:12556
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h74⤵PID:12608
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"74⤵PID:22744
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵PID:12728
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h75⤵PID:23068
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h75⤵
- Sets file to hidden
- Views/modifies file attributes
PID:23136
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"75⤵PID:12880
-
C:\Windows\SysWOW64\notepad.exenotepad76⤵PID:12996
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h76⤵
- Views/modifies file attributes
PID:13032
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h76⤵PID:13016
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"76⤵PID:13288
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵PID:13916
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h77⤵PID:13860
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h77⤵PID:13892
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"77⤵PID:13428
-
C:\Windows\SysWOW64\notepad.exenotepad78⤵PID:10160
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h78⤵PID:10192
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h78⤵PID:9512
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"78⤵PID:7800
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵PID:30972
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h79⤵PID:28248
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h79⤵PID:10928
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"79⤵PID:18364
-
C:\Windows\SysWOW64\notepad.exenotepad80⤵PID:18188
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h80⤵PID:18164
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h80⤵
- Views/modifies file attributes
PID:18116
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"80⤵PID:14460
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵PID:14096
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h81⤵
- Sets file to hidden
PID:13988
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h81⤵PID:13620
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"81⤵PID:15388
-
C:\Windows\SysWOW64\notepad.exenotepad82⤵PID:15820
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h82⤵PID:15944
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h82⤵PID:15920
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"82⤵PID:16580
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵PID:18132
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h83⤵PID:18008
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h83⤵PID:18056
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"83⤵PID:17440
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵PID:17232
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h84⤵PID:17180
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h84⤵
- Sets file to hidden
PID:17132
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"84⤵PID:18268
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵PID:19580
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h85⤵PID:19636
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h85⤵PID:18688
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"85⤵PID:19176
-
C:\Windows\SysWOW64\notepad.exenotepad86⤵PID:20364
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h86⤵
- Sets file to hidden
- Views/modifies file attributes
PID:19564
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h86⤵
- Sets file to hidden
- Views/modifies file attributes
PID:19932
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"86⤵PID:21508
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵PID:18788
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h87⤵
- Sets file to hidden
- Views/modifies file attributes
PID:23588
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h87⤵
- Sets file to hidden
PID:23612
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"87⤵PID:24284
-
C:\Windows\SysWOW64\notepad.exenotepad88⤵PID:24556
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h88⤵
- Sets file to hidden
PID:24708
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h88⤵
- Views/modifies file attributes
PID:24644
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"88⤵PID:25156
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵PID:25588
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h89⤵
- Views/modifies file attributes
PID:25644
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h89⤵PID:25684
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"89⤵PID:26196
-
C:\Windows\SysWOW64\notepad.exenotepad90⤵PID:26428
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h90⤵
- Views/modifies file attributes
PID:26524
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h90⤵PID:26944
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"90⤵PID:27388
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵PID:27604
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h91⤵
- Views/modifies file attributes
PID:27712
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h91⤵
- Sets file to hidden
- Views/modifies file attributes
PID:27752
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"91⤵PID:27864
-
C:\Windows\SysWOW64\notepad.exenotepad92⤵PID:19344
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h92⤵PID:19668
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h92⤵PID:19120
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"92⤵PID:28804
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵PID:29608
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h93⤵PID:29684
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h93⤵PID:29672
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"93⤵PID:31060
-
C:\Windows\SysWOW64\notepad.exenotepad94⤵PID:30748
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h94⤵
- Sets file to hidden
PID:30704
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h94⤵PID:30640
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"94⤵PID:31404
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵PID:31604
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h95⤵PID:31700
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h95⤵
- Sets file to hidden
PID:31736
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"95⤵PID:32288
-
C:\Windows\SysWOW64\notepad.exenotepad96⤵PID:32504
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h96⤵PID:32556
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h96⤵PID:32568
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"96⤵PID:33116
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵PID:33352
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h97⤵PID:4468
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h97⤵
- Sets file to hidden
PID:18844
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"97⤵PID:4668
-
C:\Windows\SysWOW64\notepad.exenotepad98⤵PID:27500
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h98⤵
- Views/modifies file attributes
PID:27796
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h98⤵PID:27776
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"98⤵PID:28040
-
C:\Windows\SysWOW64\notepad.exenotepad99⤵PID:27440
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h99⤵PID:27788
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h99⤵
- Sets file to hidden
PID:27820
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"99⤵PID:2368
-
C:\Windows\SysWOW64\notepad.exenotepad100⤵PID:32380
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h100⤵PID:32260
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h100⤵PID:31988
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"100⤵PID:31096
-
C:\Windows\SysWOW64\notepad.exenotepad101⤵PID:29620
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h101⤵PID:29664
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h101⤵PID:5732
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"101⤵PID:20276
-
C:\Windows\SysWOW64\notepad.exenotepad102⤵PID:29964
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h102⤵PID:30028
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h102⤵
- Views/modifies file attributes
PID:30004
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"102⤵PID:20744
-
C:\Windows\SysWOW64\notepad.exenotepad103⤵PID:20568
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h103⤵PID:19940
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h103⤵PID:19872
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"103⤵PID:20212
-
C:\Windows\SysWOW64\notepad.exenotepad104⤵PID:20616
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h104⤵
- Views/modifies file attributes
PID:18936
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h104⤵PID:18912
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"104⤵PID:11612
-
C:\Windows\SysWOW64\notepad.exenotepad105⤵PID:28212
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h105⤵PID:28164
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h105⤵PID:3656
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"105⤵PID:22124
-
C:\Windows\SysWOW64\notepad.exenotepad106⤵PID:24868
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h106⤵
- Sets file to hidden
PID:24936
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h106⤵
- Sets file to hidden
PID:24964
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"106⤵PID:27460
-
C:\Windows\SysWOW64\notepad.exenotepad107⤵PID:32944
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h107⤵
- Sets file to hidden
PID:33032
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h107⤵PID:33324
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"107⤵PID:11636
-
C:\Windows\SysWOW64\notepad.exenotepad108⤵PID:29264
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h108⤵
- Views/modifies file attributes
PID:29176
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h108⤵PID:29112
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"108⤵PID:28608
-
C:\Windows\SysWOW64\notepad.exenotepad109⤵PID:28416
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h109⤵PID:28392
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h109⤵
- Views/modifies file attributes
PID:28352
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"109⤵PID:21588
-
C:\Windows\SysWOW64\notepad.exenotepad110⤵PID:21352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 21352 -s 84111⤵
- Program crash
PID:22984
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h110⤵
- Views/modifies file attributes
PID:21292
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h110⤵PID:22116
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"110⤵PID:23188
-
C:\Windows\SysWOW64\notepad.exenotepad111⤵PID:23396
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h111⤵
- Views/modifies file attributes
PID:23440
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h111⤵PID:23580
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"111⤵PID:24360
-
C:\Windows\SysWOW64\notepad.exenotepad112⤵PID:24184
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h112⤵PID:24112
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h112⤵PID:24084
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"112⤵PID:25276
-
C:\Windows\SysWOW64\notepad.exenotepad113⤵PID:25508
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h113⤵PID:25544
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h113⤵
- Sets file to hidden
PID:25616
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"113⤵PID:26156
-
C:\Windows\SysWOW64\notepad.exenotepad114⤵PID:26368
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h114⤵
- Sets file to hidden
PID:26396
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h114⤵PID:26500
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"114⤵PID:27028
-
C:\Windows\SysWOW64\notepad.exenotepad115⤵PID:32652
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h115⤵PID:27892
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h115⤵
- Sets file to hidden
PID:27876
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"115⤵PID:8692
-
C:\Windows\SysWOW64\notepad.exenotepad116⤵PID:30420
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h116⤵PID:28128
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h116⤵PID:13912
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"116⤵PID:29744
-
C:\Windows\SysWOW64\notepad.exenotepad117⤵PID:30016
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h117⤵PID:30064
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h117⤵
- Sets file to hidden
PID:30192
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"117⤵PID:272
-
C:\Windows\SysWOW64\notepad.exenotepad118⤵PID:32280
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h118⤵PID:11664
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h118⤵PID:30572
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"118⤵PID:32520
-
C:\Windows\SysWOW64\notepad.exenotepad119⤵PID:32544
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h119⤵
- Sets file to hidden
PID:8848
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h119⤵PID:7744
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"119⤵PID:3616
-
C:\Windows\SysWOW64\notepad.exenotepad120⤵PID:1216
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h120⤵
- Sets file to hidden
PID:5628
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h120⤵
- Views/modifies file attributes
PID:4420
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"120⤵PID:2380
-
C:\Windows\SysWOW64\notepad.exenotepad121⤵PID:4648
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h121⤵PID:30488
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h121⤵PID:33524
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"121⤵PID:32036
-
C:\Windows\SysWOW64\notepad.exenotepad122⤵PID:31896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-