hawkeye | 8b0d348d3d3e8c9228992f9ceeb2d471772b91d29118754e3ee9798d4158d17d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
Size

7.4MB
MD5

c302c6a8c627cf3fa3bc67dafa5c9d08
SHA1

a317eb49d26c081286bc1edd421de7bff5af8362
SHA256

8b0d348d3d3e8c9228992f9ceeb2d471772b91d29118754e3ee9798d4158d17d
SHA512

95792f955888dcbea5b70aeff5f54fb9dec07015379419e07eb9cc10642cad0f10952e3c21f4cdb5edd3d272ae9173887cb496fb3192ffbd3ac79359f1612b48
SSDEEP

196608:LeCT6KLXMCHGLLc54i1wN+ojXx5nDasqWQ2dTNUGqlA+iITmavMB:KC+KLXMCHWUjAjx5WsqWxTwxTJU

Score

10^/10

hawkeye keylogger persistence pyinstaller spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Executes dropped EXE 64 IoCs

pid	Process
1616	WindowsUpdate.exe
5108	WindowsUpdate.exe
4972	WindowsUpdate.exe
3452	WindowsUpdate.exe
776	WindowsUpdate.exe
4472	WindowsUpdate.exe
3296	WindowsUpdate.exe
3884	WindowsUpdate.exe
4448	WindowsUpdate.exe
1900	WindowsUpdate.exe
2360	WindowsUpdate.exe
4024	WindowsUpdate.exe
3848	WindowsUpdate.exe
3032	WindowsUpdate.exe
1160	WindowsUpdate.exe
3208	WindowsUpdate.exe
2432	WindowsUpdate.exe
4620	WindowsUpdate.exe
3664	WindowsUpdate.exe
1928	WindowsUpdate.exe
2700	WindowsUpdate.exe
232	WindowsUpdate.exe
1252	WindowsUpdate.exe
1124	WindowsUpdate.exe
5152	WindowsUpdate.exe
5228	WindowsUpdate.exe
5312	WindowsUpdate.exe
5388	WindowsUpdate.exe
5460	WindowsUpdate.exe
5540	WindowsUpdate.exe
5616	WindowsUpdate.exe
5752	WindowsUpdate.exe
5892	WindowsUpdate.exe
5968	WindowsUpdate.exe
6040	WindowsUpdate.exe
6120	WindowsUpdate.exe
5204	WindowsUpdate.exe
5372	WindowsUpdate.exe
3784	WindowsUpdate.exe
3136	WindowsUpdate.exe
5664	WindowsUpdate.exe
5948	WindowsUpdate.exe
6108	WindowsUpdate.exe
4872	WindowsUpdate.exe
5744	WindowsUpdate.exe
5272	WindowsUpdate.exe
2684	WindowsUpdate.exe
5944	WindowsUpdate.exe
5916	WindowsUpdate.exe
5936	WindowsUpdate.exe
6208	WindowsUpdate.exe
6284	WindowsUpdate.exe
6360	WindowsUpdate.exe
6436	WindowsUpdate.exe
6520	WindowsUpdate.exe
6596	WindowsUpdate.exe
6676	WindowsUpdate.exe
6752	WindowsUpdate.exe
6824	WindowsUpdate.exe
6900	WindowsUpdate.exe
6972	WindowsUpdate.exe
7048	WindowsUpdate.exe
7124	WindowsUpdate.exe
6252	WindowsUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
3596	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
5108	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
3452	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
4472	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe
3884	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	WindowsUpdate.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000240d7-45.dat	pyinstaller

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3596	4948	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe	88
PID 4948 wrote to memory of 3596	4948	2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe	88
PID 2848 wrote to memory of 1616	2848	cmd.exe	91
PID 2848 wrote to memory of 1616	2848	cmd.exe	91
PID 1616 wrote to memory of 5108	1616	WindowsUpdate.exe	94
PID 1616 wrote to memory of 5108	1616	WindowsUpdate.exe	94
PID 4640 wrote to memory of 4972	4640	cmd.exe	98
PID 4640 wrote to memory of 4972	4640	cmd.exe	98
PID 4972 wrote to memory of 3452	4972	WindowsUpdate.exe	99
PID 4972 wrote to memory of 3452	4972	WindowsUpdate.exe	99
PID 60 wrote to memory of 776	60	cmd.exe	102
PID 60 wrote to memory of 776	60	cmd.exe	102
PID 776 wrote to memory of 4472	776	WindowsUpdate.exe	103
PID 776 wrote to memory of 4472	776	WindowsUpdate.exe	103
PID 4044 wrote to memory of 3296	4044	cmd.exe	106
PID 4044 wrote to memory of 3296	4044	cmd.exe	106
PID 3296 wrote to memory of 3884	3296	WindowsUpdate.exe	109
PID 3296 wrote to memory of 3884	3296	WindowsUpdate.exe	109
PID 1520 wrote to memory of 4448	1520	cmd.exe	112
PID 1520 wrote to memory of 4448	1520	cmd.exe	112
PID 4448 wrote to memory of 1900	4448	WindowsUpdate.exe	113
PID 4448 wrote to memory of 1900	4448	WindowsUpdate.exe	113
PID 2828 wrote to memory of 2360	2828	cmd.exe	118
PID 2828 wrote to memory of 2360	2828	cmd.exe	118
PID 2360 wrote to memory of 4024	2360	WindowsUpdate.exe	119
PID 2360 wrote to memory of 4024	2360	WindowsUpdate.exe	119
PID 5072 wrote to memory of 3848	5072	cmd.exe	122
PID 5072 wrote to memory of 3848	5072	cmd.exe	122
PID 3848 wrote to memory of 3032	3848	WindowsUpdate.exe	123
PID 3848 wrote to memory of 3032	3848	WindowsUpdate.exe	123
PID 5056 wrote to memory of 1160	5056	cmd.exe	126
PID 5056 wrote to memory of 1160	5056	cmd.exe	126
PID 1160 wrote to memory of 3208	1160	WindowsUpdate.exe	127
PID 1160 wrote to memory of 3208	1160	WindowsUpdate.exe	127
PID 4380 wrote to memory of 2432	4380	cmd.exe	130
PID 4380 wrote to memory of 2432	4380	cmd.exe	130
PID 2432 wrote to memory of 4620	2432	WindowsUpdate.exe	131
PID 2432 wrote to memory of 4620	2432	WindowsUpdate.exe	131
PID 8 wrote to memory of 3664	8	cmd.exe	134
PID 8 wrote to memory of 3664	8	cmd.exe	134
PID 3664 wrote to memory of 1928	3664	WindowsUpdate.exe	135
PID 3664 wrote to memory of 1928	3664	WindowsUpdate.exe	135
PID 1688 wrote to memory of 2700	1688	cmd.exe	139
PID 1688 wrote to memory of 2700	1688	cmd.exe	139
PID 2700 wrote to memory of 232	2700	WindowsUpdate.exe	140
PID 2700 wrote to memory of 232	2700	WindowsUpdate.exe	140
PID 2044 wrote to memory of 1252	2044	cmd.exe	143
PID 2044 wrote to memory of 1252	2044	cmd.exe	143
PID 1252 wrote to memory of 1124	1252	WindowsUpdate.exe	144
PID 1252 wrote to memory of 1124	1252	WindowsUpdate.exe	144
PID 1240 wrote to memory of 5152	1240	cmd.exe	147
PID 1240 wrote to memory of 5152	1240	cmd.exe	147
PID 5152 wrote to memory of 5228	5152	WindowsUpdate.exe	148
PID 5152 wrote to memory of 5228	5152	WindowsUpdate.exe	148
PID 5252 wrote to memory of 5312	5252	cmd.exe	151
PID 5252 wrote to memory of 5312	5252	cmd.exe	151
PID 5312 wrote to memory of 5388	5312	WindowsUpdate.exe	152
PID 5312 wrote to memory of 5388	5312	WindowsUpdate.exe	152
PID 5412 wrote to memory of 5460	5412	cmd.exe	155
PID 5412 wrote to memory of 5460	5412	cmd.exe	155
PID 5460 wrote to memory of 5540	5460	WindowsUpdate.exe	156
PID 5460 wrote to memory of 5540	5460	WindowsUpdate.exe	156
PID 5564 wrote to memory of 5616	5564	cmd.exe	159
PID 5564 wrote to memory of 5616	5564	cmd.exe	159

C:\Users\Admin\AppData\Local\Temp\2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-04-07_c302c6a8c627cf3fa3bc67dafa5c9d08_black-basta_cobalt-strike_satacom.exe"
  2⤵
  - Loads dropped DLL
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5152
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5252
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5312
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5412
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5460
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5564
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:5616
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:5836
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:5892
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:5992
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6040
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:5204
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:5488
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:3048
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:5664
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6060
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6108
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:1048
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:5744
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:5368
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:5364
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:5916
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6160
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6208
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6308
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6360
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6460
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6520
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6616
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6676
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6772
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6824
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:6900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6924
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:6972
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7072
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  - Executes dropped EXE
  PID:7124
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6276
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:6412
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6588
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:6724
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6992
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7040
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:6380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:2716
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:6748
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6232
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:6864
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6876
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7228
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7328
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7380
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:7460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7484
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7532
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:7608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7632
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7680
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:7756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7780
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7832
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:7908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7932
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7980
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8080
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8128
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:7252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7256
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7408
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7696
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7860
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:8040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8152
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7436
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7724
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8036
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:7904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7560
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7552
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8292
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8348
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:8424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8452
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8508
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8616
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8668
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8764
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8820
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:8896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8924
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8976
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:9056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9084
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9140
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8232
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8400
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8632
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8728
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:8880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8936
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9052
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7728
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8468
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8876
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9184
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:8692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:8844
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:8540
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9224
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9284
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:9360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9384
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9432
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:9508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9532
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9580
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:9664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9692
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9740
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:9832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9856
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9904
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:9992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10016
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10072
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:10156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10188
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10236
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9472
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9612
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9872
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:600
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:10144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:9308
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9488
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:9760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10032
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9324
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:9772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:9768
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:10332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10364
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10436
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:10536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10572
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10648
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:10732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10764
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10824
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:10900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10932
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10996
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:11092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:11116
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11184
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:10256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10280
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:2448
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:10524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10676
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10728
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:10888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:11012
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11084
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:10260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10508
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10880
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:11248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:2120
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11224
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10472
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11308
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:11476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:11512
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11576
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:11684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:11716
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11780
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:11860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:11896
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11952
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:12028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12052
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12116
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:12192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12224
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12284
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:11464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:10252
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:10916
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:9756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11840
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:12016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12152
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12236
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:11620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12000
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11332
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:11876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:11444
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:11640
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6820
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12324
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:12400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12428
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12488
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:12564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12592
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12656
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:12732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12756
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12820
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:12896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12924
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:13000
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:13076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:13108
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:13176
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:13260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:13284
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12340
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:12508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12524
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:1992
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:12720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:6720
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12940
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:13236
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:12292
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:12696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:7524
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:13256
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:11764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:11164
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:7824
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:12700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:12692
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:13384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:13424
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:13476
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
1⤵
PID:13592
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  2⤵
  PID:13664
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    3⤵
    - Adds Run key to start application
    PID:13748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI49482\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_decimal.pyd

Filesize
251KB

MD5
7ae94f5a66986cbc1a2b3c65a8d617f3

SHA1
28abefb1df38514b9ffe562f82f8c77129ca3f7d

SHA256
da8bb3d54bbba20d8fa6c2fd0a4389aec80ab6bd490b0abef5bd65097cbc0da4

SHA512
fbb599270066c43b5d3a4e965fb2203b085686479af157cd0bb0d29ed73248b6f6371c5158799f6d58b1f1199b82c01abe418e609ea98c71c37bb40f3226d8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\base_library.zip

Filesize
1.3MB

MD5
0baafd93b5cf0b940b66c83cca64a42a

SHA1
eb54637d07929abf98baaa4a73ee7a826f5cc20f

SHA256
bd26181fd924b6585f0f6f1159277b849fc96461cf0e7722ab385f1ac96d5ddb

SHA512
d40fe1caf49e793b7c492a41704888866614cef62a2f13c48df148a58683c2490fa70c6f2ab11f74d301d9a4ded890e7c3d17fa2b2f8fe35628e28e8a3243952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Filesize
7.4MB

MD5
c302c6a8c627cf3fa3bc67dafa5c9d08

SHA1
a317eb49d26c081286bc1edd421de7bff5af8362

SHA256
8b0d348d3d3e8c9228992f9ceeb2d471772b91d29118754e3ee9798d4158d17d

SHA512
95792f955888dcbea5b70aeff5f54fb9dec07015379419e07eb9cc10642cad0f10952e3c21f4cdb5edd3d272ae9173887cb496fb3192ffbd3ac79359f1612b48

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads