fc44937657804765aa8a05b2faf58fca83738edcacf9bb3c64770b8fc9cb6a6f

Analysis

max time kernel
103s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XtremeShell 4.3 Portable.exe
Size

9.1MB
MD5

71151b0df6c008855a004b2975e3f822
SHA1

a07eb40d7badde7dc462c8a83d648cbdafe36acd
SHA256

fc44937657804765aa8a05b2faf58fca83738edcacf9bb3c64770b8fc9cb6a6f
SHA512

7daafaebf54ed538e109dd5b71363994967dadcf282cd05b7923a2cc9ca6adff9ba6472332cd44c9a2ee1be77b6793631b78cbd9fda1c6d5bd80ef6d63176963
SSDEEP

196608:hXVAqaXa6JfRYmEac7V8QW5oiwDkZUuYGZKQlX8yC3O13:hFANrYmEaCmj5oiwDkO+KdlK

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3672	choco.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	XtremeShell 4.3 Portable.exe

Power Settings 1 TTPs 3 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1288	powercfg.exe
3576	powercfg.exe
4520	powercfg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\ResPriHMStaticDb.ebd	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\DISM.EXE-DE199F71.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1589E4C3.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4DC9A20E.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\AgRobust.db	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-01E21A55.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-FF8EBD82.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\PfSvPerfStats.bin	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-EC3F9239.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Trace1.fx	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-A54E2C12.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FFCC5BB3.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-2C52326A.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-976DB280.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7E8D1C35.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-96A7E1CF.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf	XtremeShell 4.3 Portable.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf	XtremeShell 4.3 Portable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe

Modifies registry key 1 TTPs 53 IoCs

Modify Registry

T1112

pid	Process
2328	reg.exe
1664	reg.exe
3400	reg.exe
2500	reg.exe
2828	reg.exe
4404	reg.exe
4396	reg.exe
2772	reg.exe
4748	reg.exe
388	reg.exe
388	reg.exe
4456	reg.exe
2344	reg.exe
1088	reg.exe
3772	reg.exe
2348	reg.exe
4568	reg.exe
1648	reg.exe
2192	reg.exe
4088	reg.exe
5052	reg.exe
1908	reg.exe
1152	reg.exe
3740	reg.exe
1956	reg.exe
3556	reg.exe
2248	reg.exe
3652	reg.exe
4128	reg.exe
1088	reg.exe
4204	reg.exe
3776	reg.exe
2012	reg.exe
4452	reg.exe
4052	reg.exe
2356	reg.exe
1840	reg.exe
4000	reg.exe
2820	reg.exe
2480	reg.exe
1604	reg.exe
2864	reg.exe
1392	reg.exe
604	reg.exe
4628	reg.exe
5016	reg.exe
880	reg.exe
4048	reg.exe
1288	reg.exe
2800	reg.exe
1424	reg.exe
3972	reg.exe
2084	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	XtremeShell 4.3 Portable.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	XtremeShell 4.3 Portable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	XtremeShell 4.3 Portable.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4512	XtremeShell 4.3 Portable.exe
4512	XtremeShell 4.3 Portable.exe
4512	XtremeShell 4.3 Portable.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeIncreaseQuotaPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSecurityPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeTakeOwnershipPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeLoadDriverPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemProfilePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemtimePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeProfSingleProcessPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeIncBasePriorityPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeCreatePagefilePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeBackupPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeRestorePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeShutdownPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeDebugPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemEnvironmentPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeRemoteShutdownPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeUndockPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeManageVolumePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: 33	4512	XtremeShell 4.3 Portable.exe
Token: 34	4512	XtremeShell 4.3 Portable.exe
Token: 35	4512	XtremeShell 4.3 Portable.exe
Token: 36	4512	XtremeShell 4.3 Portable.exe
Token: SeIncreaseQuotaPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSecurityPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeTakeOwnershipPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeLoadDriverPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemProfilePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemtimePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeProfSingleProcessPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeIncBasePriorityPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeCreatePagefilePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeBackupPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeRestorePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeShutdownPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeDebugPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemEnvironmentPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeRemoteShutdownPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeUndockPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeManageVolumePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: 33	4512	XtremeShell 4.3 Portable.exe
Token: 34	4512	XtremeShell 4.3 Portable.exe
Token: 35	4512	XtremeShell 4.3 Portable.exe
Token: 36	4512	XtremeShell 4.3 Portable.exe
Token: SeIncreaseQuotaPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSecurityPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeTakeOwnershipPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeLoadDriverPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemProfilePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemtimePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeProfSingleProcessPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeIncBasePriorityPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeCreatePagefilePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeBackupPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeRestorePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeShutdownPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeDebugPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeSystemEnvironmentPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeRemoteShutdownPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeUndockPrivilege	4512	XtremeShell 4.3 Portable.exe
Token: SeManageVolumePrivilege	4512	XtremeShell 4.3 Portable.exe
Token: 33	4512	XtremeShell 4.3 Portable.exe
Token: 34	4512	XtremeShell 4.3 Portable.exe
Token: 35	4512	XtremeShell 4.3 Portable.exe
Token: 36	4512	XtremeShell 4.3 Portable.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
836	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 1424	4512	XtremeShell 4.3 Portable.exe	94
PID 4512 wrote to memory of 1424	4512	XtremeShell 4.3 Portable.exe	94
PID 4512 wrote to memory of 4424	4512	XtremeShell 4.3 Portable.exe	95
PID 4512 wrote to memory of 4424	4512	XtremeShell 4.3 Portable.exe	95
PID 4512 wrote to memory of 3356	4512	XtremeShell 4.3 Portable.exe	96
PID 4512 wrote to memory of 3356	4512	XtremeShell 4.3 Portable.exe	96
PID 4512 wrote to memory of 4204	4512	XtremeShell 4.3 Portable.exe	97
PID 4512 wrote to memory of 4204	4512	XtremeShell 4.3 Portable.exe	97
PID 4512 wrote to memory of 3672	4512	XtremeShell 4.3 Portable.exe	98
PID 4512 wrote to memory of 3672	4512	XtremeShell 4.3 Portable.exe	98
PID 4512 wrote to memory of 3672	4512	XtremeShell 4.3 Portable.exe	98
PID 4512 wrote to memory of 3772	4512	XtremeShell 4.3 Portable.exe	100
PID 4512 wrote to memory of 3772	4512	XtremeShell 4.3 Portable.exe	100
PID 4512 wrote to memory of 2192	4512	XtremeShell 4.3 Portable.exe	101
PID 4512 wrote to memory of 2192	4512	XtremeShell 4.3 Portable.exe	101
PID 4512 wrote to memory of 2348	4512	XtremeShell 4.3 Portable.exe	102
PID 4512 wrote to memory of 2348	4512	XtremeShell 4.3 Portable.exe	102
PID 4512 wrote to memory of 1908	4512	XtremeShell 4.3 Portable.exe	103
PID 4512 wrote to memory of 1908	4512	XtremeShell 4.3 Portable.exe	103
PID 4512 wrote to memory of 2864	4512	XtremeShell 4.3 Portable.exe	104
PID 4512 wrote to memory of 2864	4512	XtremeShell 4.3 Portable.exe	104
PID 4512 wrote to memory of 2356	4512	XtremeShell 4.3 Portable.exe	105
PID 4512 wrote to memory of 2356	4512	XtremeShell 4.3 Portable.exe	105
PID 4512 wrote to memory of 4088	4512	XtremeShell 4.3 Portable.exe	106
PID 4512 wrote to memory of 4088	4512	XtremeShell 4.3 Portable.exe	106
PID 4512 wrote to memory of 4568	4512	XtremeShell 4.3 Portable.exe	107
PID 4512 wrote to memory of 4568	4512	XtremeShell 4.3 Portable.exe	107
PID 4512 wrote to memory of 3740	4512	XtremeShell 4.3 Portable.exe	108
PID 4512 wrote to memory of 3740	4512	XtremeShell 4.3 Portable.exe	108
PID 4512 wrote to memory of 1288	4512	XtremeShell 4.3 Portable.exe	109
PID 4512 wrote to memory of 1288	4512	XtremeShell 4.3 Portable.exe	109
PID 4512 wrote to memory of 1840	4512	XtremeShell 4.3 Portable.exe	110
PID 4512 wrote to memory of 1840	4512	XtremeShell 4.3 Portable.exe	110
PID 4512 wrote to memory of 4128	4512	XtremeShell 4.3 Portable.exe	111
PID 4512 wrote to memory of 4128	4512	XtremeShell 4.3 Portable.exe	111
PID 4512 wrote to memory of 1088	4512	XtremeShell 4.3 Portable.exe	112
PID 4512 wrote to memory of 1088	4512	XtremeShell 4.3 Portable.exe	112
PID 4512 wrote to memory of 2800	4512	XtremeShell 4.3 Portable.exe	113
PID 4512 wrote to memory of 2800	4512	XtremeShell 4.3 Portable.exe	113
PID 4512 wrote to memory of 4000	4512	XtremeShell 4.3 Portable.exe	114
PID 4512 wrote to memory of 4000	4512	XtremeShell 4.3 Portable.exe	114
PID 4512 wrote to memory of 2012	4512	XtremeShell 4.3 Portable.exe	115
PID 4512 wrote to memory of 2012	4512	XtremeShell 4.3 Portable.exe	115
PID 4512 wrote to memory of 3652	4512	XtremeShell 4.3 Portable.exe	116
PID 4512 wrote to memory of 3652	4512	XtremeShell 4.3 Portable.exe	116
PID 4512 wrote to memory of 4204	4512	XtremeShell 4.3 Portable.exe	117
PID 4512 wrote to memory of 4204	4512	XtremeShell 4.3 Portable.exe	117
PID 4512 wrote to memory of 388	4512	XtremeShell 4.3 Portable.exe	118
PID 4512 wrote to memory of 388	4512	XtremeShell 4.3 Portable.exe	118
PID 4512 wrote to memory of 1392	4512	XtremeShell 4.3 Portable.exe	119
PID 4512 wrote to memory of 1392	4512	XtremeShell 4.3 Portable.exe	119
PID 4512 wrote to memory of 1664	4512	XtremeShell 4.3 Portable.exe	120
PID 4512 wrote to memory of 1664	4512	XtremeShell 4.3 Portable.exe	120
PID 4512 wrote to memory of 3400	4512	XtremeShell 4.3 Portable.exe	121
PID 4512 wrote to memory of 3400	4512	XtremeShell 4.3 Portable.exe	121
PID 4512 wrote to memory of 3776	4512	XtremeShell 4.3 Portable.exe	122
PID 4512 wrote to memory of 3776	4512	XtremeShell 4.3 Portable.exe	122
PID 4512 wrote to memory of 1956	4512	XtremeShell 4.3 Portable.exe	123
PID 4512 wrote to memory of 1956	4512	XtremeShell 4.3 Portable.exe	123
PID 4512 wrote to memory of 3972	4512	XtremeShell 4.3 Portable.exe	124
PID 4512 wrote to memory of 3972	4512	XtremeShell 4.3 Portable.exe	124
PID 4512 wrote to memory of 5052	4512	XtremeShell 4.3 Portable.exe	125
PID 4512 wrote to memory of 5052	4512	XtremeShell 4.3 Portable.exe	125
PID 4512 wrote to memory of 3556	4512	XtremeShell 4.3 Portable.exe	126

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	XtremeShell 4.3 Portable.exe

C:\Users\Admin\AppData\Local\Temp\XtremeShell 4.3 Portable.exe
"C:\Users\Admin\AppData\Local\Temp\XtremeShell 4.3 Portable.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4512
- C:\Windows\System32\setx.exe
  "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133701222246510938
  2⤵
  PID:1424
- C:\Windows\System32\setx.exe
  "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133701222248385987
  2⤵
  PID:4424
- C:\Windows\System32\setx.exe
  "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133701222249167154
  2⤵
  PID:3356
- C:\Windows\System32\setx.exe
  "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133701222256042213
  2⤵
  PID:4204
- C:\ProgramData\chocolatey\choco.exe
  "C:\ProgramData\chocolatey\choco.exe" -v
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 22StokedOnIt.NotebookPro_ffs55s3hze5sr /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3772
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 2FE3CB00.PicsArt-PhotoStudio_crhqpqs3x1ygc /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2192
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 41038Axilesoft.ACGMediaPlayer_wxjjre7dryqb6 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2348
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 5CB722CC.SeekersNotesMysteriesofDarkwood_ypk0bew5psyra /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1908
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 7458BE2C.WorldofTanksBlitz_x4tje2y229k00 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2864
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2356
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 828B5831.TheSecretSociety-HiddenMystery_ytsefhwckbdv6 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4088
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 89006A2E.AutodeskSketchBook_tf1gferkr813w /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4568
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v 9E2F88E3.Twitter_wgeqdkkx372wm /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3740
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v A278AB0D.AsphaltStreetStormRacing_h6adky7gbf63m /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1288
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v A278AB0D.DisneyMagicKingdoms_h6adky7gbf63m /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1840
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v A278AB0D.DragonManiaLegends_h6adky7gbf63m /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4128
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v A278AB0D.MarchofEmpires_h6adky7gbf63m /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1088
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v AdobeSystemsIncorporated.PhotoshopElements2018_ynb6jyjzte8ga /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2800
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v CAF9E577.Plex_aam28m9va5cke /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4000
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v DolbyLaboratories.DolbyAccess_rz1tebttyb220 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2012
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Drawboard.DrawboardPDF_gqbn7fs4pywxm /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3652
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Expedia.ExpediaHotelsFlightsCarsActivities_0wbx8rnn4qk5c /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4204
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Facebook.317180B0BB486_8xx8rvfyw5nnt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:388
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Facebook.Facebook_8xx8rvfyw5nnt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1392
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Facebook.InstagramBeta_8xx8rvfyw5nnt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1664
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Fitbit.FitbitCoach_6mqt6hf9g46tw /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3400
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v flaregamesGmbH.RoyalRevolt2_g0q0z3kw54rap /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3776
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v GAMELOFTSA.Asphalt8Airborne_0pp20fcewvvtj /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1956
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v king.com.BubbleWitch3Saga_kgqvnymyfvs32 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3972
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v king.com.CandyCrushSaga_kgqvnymyfvs32 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:5052
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v king.com.CandyCrushSodaSaga_kgqvnymyfvs32 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3556
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Microsoft.AgeCastles_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:604
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Microsoft.BingNews_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1424
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Microsoft.BingSports_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4404
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Microsoft.BingWeather_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4396
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v microsoft.microsoftskydrive_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2820
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4452
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Microsoft.MinecraftUWP_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4052
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Microsoft.MSPaint_8wekyb3d8bbwe /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2828
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v NAVER.LINEwin8_8ptj331gd3tyt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4628
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v Nordcurrent.CookingFever_m9bz608c1b9ra /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:5016
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v SiliconBendersLLC.Sketchable_r2kxzpx527qgj /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2248
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v SpotifyAB.SpotifyMusic_zpdnekdrzrea0 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2084
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v ThumbmunkeysLtd.PhototasticCollage_nfy108tqq3p12 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4456
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v USATODAY.USATODAY_wy7mw3214mat8 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2480
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps /v WinZipComputing.WinZipUniversal_3ykzqggjzj4z0 /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2344
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSyncProviderNotifications /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1648
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1152
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" delete HKLM\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Id /f
  2⤵
  - Modifies registry key
  PID:2500
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Search /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1604
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Search /v AllowSearchToUseLocation /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2772
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Search /v CortanaConsent /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2328
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Windows Search" /v CortanaConsent /t REG_DWORD /d 0 /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch /t REG_DWORD /d 1 /f
  2⤵
  PID:3340
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v DisableVoice /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:880
- C:\Windows\system32\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
  2⤵
  - Power Settings
  PID:4520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avx0z144\avx0z144.cmdline"
  2⤵
  PID:4632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BE4.tmp" "c:\Users\Admin\AppData\Local\Temp\avx0z144\CSC81F2FC06FDE47B0AAA9B725A5ED874.TMP"
    3⤵
    PID:2072
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling /v PowerThrottlingOff /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:388
- C:\Windows\system32\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
  2⤵
  - Power Settings
  PID:1288
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling /v PowerThrottlingOff /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1088
- C:\Windows\system32\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
  2⤵
  - Power Settings
  PID:3576
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v LaunchTo /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4048
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4748
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCopilotButton /t REG_DWORD /d 0 /f
  2⤵
  PID:4716
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCopilotButton /t REG_DWORD /d 1 /f
  2⤵
  PID:2132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3969055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chocolatey\choco.exe

Filesize
11.0MB

MD5
79938b2029f98330a31a787e41e266ab

SHA1
4146a3e2e8a3091a9b037f2b5f25ca607a0e8085

SHA256
fa72c03c6d1e174cbc5d91ad0ea4aff7db3dfb3c502b2103e87c8b4a8fe07fc5

SHA512
db2d1bbae0781005ed3fcb0924f6d19ce73de965937a872ac9cf52d41cb1b31240d702f735bbf039faedc6b59ddf31253b5ae1c71e1c51e15da452614c3e9c87

Download Submit
C:\ProgramData\chocolatey\choco.exe

Filesize
11.0MB

MD5
76d8fe544353fb6dfc258fcfbe9264d9

SHA1
6bc15a025ab989d20e6c9b9a42344d42c688d5e3

SHA256
9a058764417a634dcb53af74c50f9552af3bc0b873a562f383af36feefc1496e

SHA512
01111dc18641c6fd4177b71d733b3b39d31f69bac6d0ff346a9b0ebcb72e6e34cc35a5a710e291ca9e4c0d2d4ae64dab398b879a84a457458c130460c1a6c604

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.3672.update

Filesize
8KB

MD5
a3f016f5f2bd742ff1591950260f6f75

SHA1
7feabbcc2e2d51c09065071f58da23990e215b72

SHA256
6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3

SHA512
ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
21KB

MD5
8feb9f84cfd079bf675f4c448eb62c27

SHA1
f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2

SHA256
4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e

SHA512
34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

Filesize
15KB

MD5
c1e5f78407a38c0f2bef0839274a30d5

SHA1
2e5d91ff054720b94e7795474e23fbe202635165

SHA256
d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb

SHA512
81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
25KB

MD5
32fdfad78eecf1a6936525069d0eda09

SHA1
bf1f751146e73887de2c54a183d70a005a7453ab

SHA256
0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9

SHA512
e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
15KB

MD5
7686ed92bc6bc3606d914ac3d6555d73

SHA1
6db9151efb0c2d693ac2acb8099967a7c32fe47b

SHA256
83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b

SHA512
df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
16KB

MD5
1235a3a21c64fe5563c06f65543d7d77

SHA1
204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2

SHA256
18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5

SHA512
b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
25KB

MD5
37ce9d39ab4ab1d9e9d9373173152e1c

SHA1
a0e06df561391156ac3623f56afa824173a6e34f

SHA256
bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25

SHA512
9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
31KB

MD5
5c544f7d387ca56993a00e0a132a2e93

SHA1
8214c283a1cda735803e8e2b76db9715932b150a

SHA256
5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e

SHA512
2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
22KB

MD5
be4288d0cf3bf6203139f32b258a2d2a

SHA1
5deeb81fd84ee5038e08e546e7ee233dde64c0fd

SHA256
a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43

SHA512
86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
16KB

MD5
96ce9de89c3e9d3afa2107ae3d30630a

SHA1
0856953bf3b426be54f6759ab1ec9be6a35c631b

SHA256
30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77

SHA512
4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
21KB

MD5
847e9548a2e02e2e4d73f7fa08467e67

SHA1
022e03be3a51aad9b3c0ef950c3eff14d09343e1

SHA256
d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9

SHA512
4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
17KB

MD5
8e6fa8b04f177d447f161517548f4d47

SHA1
b39f9c37d1db563aa25298b60bcd5129bc6614c4

SHA256
10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48

SHA512
44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
15KB

MD5
4346017feb0a9b795191efd686b789c3

SHA1
b58d82c54a00fa402199b5efec3bae97c40c0d15

SHA256
3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91

SHA512
680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
19KB

MD5
5d9a27ae842c05255f5a6e7f2465ffe3

SHA1
59066ff2d8da1a2f552cf61c484400affab5aa2b

SHA256
573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5

SHA512
b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
15KB

MD5
4aacdca3061553326f51b0938232d897

SHA1
6df122a2c6d7d5954915a871494a5333601e5f9c

SHA256
73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74

SHA512
c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
28KB

MD5
101b16272234051204428a4e53b99113

SHA1
f1a08992c63f405838838c26d309a1f918ba312c

SHA256
2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e

SHA512
bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
23KB

MD5
22a06bb57eeae0b3c1d63f0b23c83541

SHA1
a2dda0d44ff38b0b248cde072c95707b183c40ef

SHA256
db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a

SHA512
c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
20KB

MD5
5540d1bea1c41384c0a44be773820695

SHA1
adbb11f9371154d5bb440fc522ea68c3730d684a

SHA256
1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683

SHA512
1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
20KB

MD5
78e046bd9c5524eae4c290c5f1d8d090

SHA1
0200b5c106effb26fab84e8b432725f626cea9ca

SHA256
767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6

SHA512
073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
18KB

MD5
b7412f3a46a112d74783b105c5cb0638

SHA1
408a73cdf57ced4256526e5c699699a2fa089086

SHA256
223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000

SHA512
afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
18KB

MD5
cfbc57e6f8b07ab19d0a2658cf790306

SHA1
4f90b9c43645e2370040f40e88ccd48628a7012f

SHA256
1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049

SHA512
f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
17KB

MD5
564e96072345c9f3f4e96e32d95108ec

SHA1
4f83114c167c77253870f837b83db806ffbcccdf

SHA256
a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586

SHA512
80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
28KB

MD5
5e189d783f6f603161b85c157ac6c0d4

SHA1
4303565e26f06b5ff9f6cbcc889ac5ababb8d930

SHA256
09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7

SHA512
2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

Filesize
30KB

MD5
5e6faf3925a572faab69a45cb05e8352

SHA1
bab071428238635e6290fa2741bd63cc803d73d5

SHA256
16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e

SHA512
453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
16KB

MD5
bf5ee790510b3a2980412675d29a293c

SHA1
164b0bf972cc0c4ff56c47641a047af4743f598c

SHA256
671fed8b51891ab5e1639033e4477f4311d2b139b4eccd4248e84b0c9028d0d0

SHA512
659ef4cf6e973448469c21507ef67902bbd8a8fe11a92c699c3a782b8b68eed1690246652f93731fce1a6147777965773c1c3a8246a19caa73763a26e5524a07

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
23KB

MD5
5e5319e30be55a660e75a5bb04219ad5

SHA1
8d7457acddf8257c6c9651e3480bf4ee72699361

SHA256
aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d

SHA512
80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
22KB

MD5
65469f9f27a5dbdef060a0560aa0db7c

SHA1
fe49184d2db322a919513c9667625efa9009a632

SHA256
3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b

SHA512
8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
22KB

MD5
e0e54825bf32d160b62c691d2f314611

SHA1
6e89de9aec3f94c6e046fbb04be28e33a8fc8732

SHA256
4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620

SHA512
6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
23KB

MD5
7cb49e4054a7cc234f428faee99d0ace

SHA1
86acfd18a8a274fb4bd0d745a23b501016851b6e

SHA256
ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b

SHA512
86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
16KB

MD5
05ee41715ae0ccd260cb385c3727d607

SHA1
afdbd2d4a0fd050d20af8e107b2dadddc45ac49f

SHA256
dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4

SHA512
1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
15KB

MD5
a917ff0cdf22fe0543dc06713d9cb160

SHA1
efad7626fdf18230a8f9a2e6e0e9df7639d3b600

SHA256
fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f

SHA512
505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
31KB

MD5
1de230e139174065c73a46f5917f27b5

SHA1
80e19d04dd84da6904b696e4a1caa93953eeda86

SHA256
694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625

SHA512
93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
16KB

MD5
bce016992a8576f7a481c6d2962e0879

SHA1
4a7a84db35e3a2d43d7aa0980c0342dd164a16e7

SHA256
599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc

SHA512
4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
17KB

MD5
56afaba9f733028dc1d8e03e21be15dc

SHA1
fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4

SHA256
f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc

SHA512
54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
16KB

MD5
f3d779698e09e13fbd55f0a5c6914616

SHA1
44eef7c9b8563cb5d7489abbe6f5158484aefb64

SHA256
c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e

SHA512
ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
20KB

MD5
bbd9b99d0ab44f6e4a9fb80d6f3a7afa

SHA1
f3a980d5493597144fdbbaad86f5207c2e39e08b

SHA256
07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb

SHA512
06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
15KB

MD5
7fdc886cd1db91065a017a76c9096aed

SHA1
6029f809be8ab12cbe0f25552b25fcfc757dfdd8

SHA256
117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b

SHA512
d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
e8bac37a757868857bc10b0716726a18

SHA1
0eeabf725b42376ecb13a299de267a8d886972ce

SHA256
2d5a1861a28ecbc6bb666358d6ff2136216e343839bd55b412c2ef7e6d2a39d3

SHA512
01727041fa7ea28357598cb6a5bc7aa1d8c3e3b8c5a6efd31f2842944a22d0c90d4f47f8e85ea643ac2f4ac8605a9819a105328af46e8bd6075315138da2d95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6BE4.tmp

Filesize
1KB

MD5
0a6683866b9a9a17d1f191dfc8054cc5

SHA1
a8bfb0a62f6bdc400f7ac47e3dac1adbbde4cd83

SHA256
bf1c2c3e05578952fbbd09b49d445c7e301aeaf2af52b47b57ba77068ccb908b

SHA512
ab721b672669459db5a3ae4709f58baa85920038e37b9eed8aeafc6d91913b482228c5b0ab9c0ade3c313336143709a672d6788eec4e86b136e24b6ef551032f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txb2uphb.ye0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avx0z144\avx0z144.dll

Filesize
3KB

MD5
5d41129cd81e327db770e144358234eb

SHA1
b117e42df0220eca2c729c5f6d585488f820a844

SHA256
23a576a468c19a3a3bc2b3a2940564534393987bf1a699e0b58981371c144d40

SHA512
cc35e79a7d1d0bd5cfe8480840ac87cc8a960cfd05a379eeb74ddc6513c67c4274280a8515ea97fa51504d4ba565a61407fa8332fe7b194e58c47d7445fa85e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
5.1MB

MD5
95231e41829f1c3a5ae890b71bcef1fa

SHA1
6fbda9446ed3d182f6680e06d4fd3f27d346cd7b

SHA256
c73d4eda9ab5ca89583ef90838c4b819a304c9ac5a8ad5a89dcb7edb15ab5fcf

SHA512
8c035dc01cde656c4d0e5b7b14355b3e8e45f6e54cdd703d817a1c547faee6eeff5299b31da6f6dad85be166417078eb7b256c6fcb895e94ec47049f53facb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
50KB

MD5
7677758586925baf4e9d7573bf12f273

SHA1
2f54bd889a52ccaca36df204a663b092ad8ab7b0

SHA256
4387f7836591fd9b384d5a11c22685d5441ed8f56a15dd962c28174f60d1b35b

SHA512
a425d55248b052810ee861fa75eb5c9c139f73aa70dfee406d59b7f1cf86fed5656d24b36db4f10a606be89a073305bc32bec822bf88ed53881323d6718fc001

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll

Filesize
30KB

MD5
fd3cac756296e10b23acb8b9f9a0fead

SHA1
287d3f5e0315a9fd5f6327d35c76571ea7d569d6

SHA256
b0915eb7f0d7fdbe4dcf6756d163199c80e49220f3fec9270c8e75ccd4349c30

SHA512
4d303bcb0ec769124d368da5142bd35c862b2da43c900bdbefe57778df9d286a80c5099d8e7e751a08ca6bddbfeccf3cb11cf182887472c1a6b0b43c62a0fc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml

Filesize
48KB

MD5
b01ce7945b984a7d4577948805bdc514

SHA1
1fc6bcc433bef5f5ac7f89f94fb7e792a1639f48

SHA256
6cfe6aaf300b0447eabad6f801dcc38461b0802f75f433dde2c642e52bc9d36b

SHA512
a6cd52038d37a1eedd780d60cb1cf18fbd96c33727dee14895e6781154b25de7a3a3d2fdf31aa60ac156200026f475194cf6261dc230bec8023aab0cf6110047

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
28KB

MD5
e7e5066e40b28d8258e840b6e1594d12

SHA1
d2f3caf9755d0b7746ae16936dbfea4acb3f44f5

SHA256
9dcd26d37f492d76816f17529ae33851416dd4d7841dde7af505b9edee50baf3

SHA512
5534cdc3c7fcbd6ac07d13b95aed8c1d2c8d007641c5184b8053c98dc0723ae3e7321722d443b68da68184d7f73ff347a988718f83f767bb6b5266a3af72fccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
15KB

MD5
2d821e986cc3d5baed2b35fd7c98291c

SHA1
6838f726ef41a3fef1878af6e1b5d88dfc148ae2

SHA256
91b8605fafba35d44f4352aa96f8d8fb366d0970e68bd194326f80eca67bf6d3

SHA512
37695fe351a5ee1c7326f77f653a49cad9c9a3a2dce3f3761d2baaece77f927691ac47a81ba8d0ac2f89c868d72f0e9751ab0f78375dcec936566c6c87297d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
17KB

MD5
0870ae75b1d8f0823ad8bb05bbdc90df

SHA1
9f6a23ac198321235d3d0b1ef1547863fe7c680d

SHA256
859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944

SHA512
3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
143KB

MD5
9ab70fc7ce569afeb61472fecfcff233

SHA1
6e3572be787d452219fa86deae45bff98b5733d7

SHA256
2e8cee54c264ec344ca3049fa361bd2da721232162bfd5bb75a30bf0130c6a69

SHA512
8dddadd28e6ff07f2aa4115e430fdbdfdfcf4d8d83546099dcc229310e0986b551e457eb64e842d9aad1b606719913dcd444def9ef83b726a9ab5049a69dc7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

Filesize
1.2MB

MD5
cd479d111eee1dbd85870e1c7477ad4c

SHA1
01ff945138480705d5934c766906b2c7c1a32b72

SHA256
367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d

SHA512
8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
335KB

MD5
76a0b06f3cc4a124682d24e129f5029b

SHA1
404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0

SHA256
3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6

SHA512
536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
38KB

MD5
76231f812a77727eb4bdeb2409cf942f

SHA1
c39fb549cfe092dddddb59536d565e55a89c93a5

SHA256
7c29a172e6b9c466afeba7148ad9ce6a1a89a7e538200a6c43ad86a279a66dd4

SHA512
f540c657807312c5890fbabed6ac16a62bab962f308ddb23a15c913075afa68fdc7636648eeb50d5b4a1e26d497cc17031bd80d6d8e9d7e86fea16037a0097f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
555KB

MD5
1a3808e1be6302f046aada94ac685402

SHA1
9c815f53ed1085a59c345fabc6e826d992b58066

SHA256
e07ddabc0a414799d090fe36d4196e8cd5471dd9718649e545410f14ef7ca251

SHA512
5e6e879b0fd3fa038bc5e7ede14231399450f12311728bbc97256f548ce6f2b72fbe88c048507d2766a09ae42d2f5b3aaf49e2a32b07426558867e9452b2eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avx0z144\CSC81F2FC06FDE47B0AAA9B725A5ED874.TMP

Filesize
652B

MD5
349f5041a5f77b42bf6c15ddc1e41b35

SHA1
ccdda150574a8ba9b57e5566a042133dbbee1990

SHA256
4df880a59dd09e0ab5448fc39ac5e871eee01375021ada9d7dfcc1a68ebb7fc6

SHA512
995b8acace8b046a00d9b8bb4520670c3f6e1f3fc98cfa0768fc3dc3b251651a526e4491549fe0690197e0a5bb3fdc33f644ef6a7a21215b317489ba8851be91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avx0z144\avx0z144.0.cs

Filesize
357B

MD5
009d7b7afeb5be67cbf44e153de794fb

SHA1
a738ee2593d4f242fffb85d6f00fe6ed5cc9e2a7

SHA256
5aa9367b40feb22305451b4989df28a091ed266bb521f6e930351f5e68e9d576

SHA512
c8a9eeea9c731ac7b34e7f07b920297e2eb13c803c9027b4e7bf6524e228ac95536c52ab5baa61e2c80c1ca3706eab64a7969dc4f2c410d01d05197ed52b11a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avx0z144\avx0z144.cmdline

Filesize
369B

MD5
36baa5d9bb1b4b10c034a453cb7143e7

SHA1
b8d326aa6aae63011004bc2221ba0ee1f38b31f4

SHA256
a0c9c706791e072dae0f63c45259d5d4b01228e54feb71c5caebd3e301ef835a

SHA512
f8fceb2d7426cbfddf29e5262625a264f30b03571d4226d4e8acbb3ca91b98dddef88617b6d695b359692b49fb95523425b5325e2de5f5001f21da31c86fdd5b

Download Submit
memory/3672-442-0x00000163512E0000-0x0000016351330000-memory.dmp

Filesize
320KB

Download
memory/3672-428-0x0000016336290000-0x0000016336D92000-memory.dmp

Filesize
11.0MB

Download
memory/3672-480-0x00000163512B0000-0x00000163512CE000-memory.dmp

Filesize
120KB

Download
memory/3672-479-0x0000016351420000-0x0000016351496000-memory.dmp

Filesize
472KB

Download
memory/4512-18-0x00007FFC8FB63000-0x00007FFC8FB65000-memory.dmp

Filesize
8KB

Download
memory/4512-501-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-11-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-15-0x0000020E7FE90000-0x0000020E7FEBA000-memory.dmp

Filesize
168KB

Download
memory/4512-429-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-16-0x0000020E7FE90000-0x0000020E7FEB4000-memory.dmp

Filesize
144KB

Download
memory/4512-17-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-14-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-13-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-12-0x0000020E7FE60000-0x0000020E7FE82000-memory.dmp

Filesize
136KB

Download
memory/4512-1-0x0000020E65100000-0x0000020E65A20000-memory.dmp

Filesize
9.1MB

Download
memory/4512-385-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-502-0x0000020E7FED0000-0x0000020E7FEE6000-memory.dmp

Filesize
88KB

Download
memory/4512-503-0x0000020E7FEC0000-0x0000020E7FECA000-memory.dmp

Filesize
40KB

Download
memory/4512-504-0x0000020E7FF70000-0x0000020E7FF96000-memory.dmp

Filesize
152KB

Download
memory/4512-19-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download
memory/4512-21-0x0000020E7FE90000-0x0000020E7FEA2000-memory.dmp

Filesize
72KB

Download
memory/4512-22-0x0000020E7FE40000-0x0000020E7FE4A000-memory.dmp

Filesize
40KB

Download
memory/4512-195-0x0000020E7FE50000-0x0000020E7FE5C000-memory.dmp

Filesize
48KB

Download
memory/4512-0-0x00007FFC8FB63000-0x00007FFC8FB65000-memory.dmp

Filesize
8KB

Download
memory/4512-517-0x0000020E01AA0000-0x0000020E01AA8000-memory.dmp

Filesize
32KB

Download
memory/4512-670-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads